2 questions about start_tls (was: Re: [Samba] TLS and ldap referals)
lacoste at miage.univ-paris12.fr
Wed Jul 25 14:17:45 GMT 2007
On Thursday 14 June 2007 13:56, Thierry Lacoste wrote:
> On Thursday 14 June 2007 10:17, Andrew Bartlett wrote:
> > On Wed, 2007-06-06 at 22:40 +0200, Thierry Lacoste wrote:
> > > I have a samba PDC with a master openldap server
> > > and a samba BDC with a slave openldap server.
> > > Replication is done with slurpd with a TLS connection
> > > and the slave ldap server has an updateref pointing
> > > to the master (I don't use ldaps).
> > >
> > > On each domain controller my smb.conf contains:
> > > passdb backend = ldapsam:ldap://localhost
> > >
> > > Now I'd like my ldap servers to reject non TLS connections
> > > except on the loopback interface (to avoid unnecessary
> > > encryption).
> > >
> > > Is it possible to configure my BDC so that TLS is used when
> > > chasing the referal but connections to its passdb backend
> > > are not encrypted?
> > Perhaps if the referrals were given as an LDAPS URL in the server? In
> > terms of localhost allowing cleartext, perhaps use ldapi://, which is by
> > definition local only.
> > Andrew Bartlett
> Apparently everything is working as I want but I'd like to understand
> the magic behind.
> On both servers, my very first ACL in slpad.conf is:
> # first, make sure TLS or localhost
> access to *
> by tls_ssf=1 none break
> by peername.ip="127.0.0.1" none break
> by * none
> so cleartext sessions are indeed rejected except on the loopback.
> On the slave I have
> updateref ldap://my.master.ldap.server
> On both servers my smb.conf contains:
> passdb backend = ldapsam:ldap://127.0.0.1
> BTW if I use localhost instead of 127.0.0.1, ldap connections are rejected.
> When I shutdown the PDC, logon to a windows client and update my password
> I get a "domain unavailable error" as expected.
> When I restart the master and do it again, evrything is OK.
> Therefore I guess the referal is chased and TLS is used, or did I miss
> It's working great but I can't find a satisfactory explanation on how.
> Can someone shed some light on what's happening?
From man smb.conf:
ldap ssl (G)
This option is used to define whether or not Samba should use
SSL when connecting to the ldap server This is NOT related to
Samba's previous SSL support which was enabled by specifying
the--with-ssl option to the configure script.
The ldap ssl can be set to one of three values:
o Off = Never use SSL when querying the directory.
o Start_tls = Use the LDAPv3 StartTLS extended operation
(RFC2830) for communicating with the directory server.
o On = Use SSL on the ldaps port when contacting the ldap
server. Only available when the backwards-compatiblity
--with-ldapsam option is specified to configure. See passdb
Default: ldap ssl = start_tls
I have two questions about start_tls:
1) does it apply on the loopback when
passdb backend = ldapsam:ldap://127.0.0.1
2) does it apply when chasing referals?
If the answers are respectively no and yes I think I have the explanation
I was looking for.
More information about the samba