2 questions about start_tls (was: Re: [Samba] TLS and ldap referals)

Thierry Lacoste lacoste at miage.univ-paris12.fr
Wed Jul 25 14:17:45 GMT 2007

On Thursday 14 June 2007 13:56, Thierry Lacoste wrote:
> On Thursday 14 June 2007 10:17, Andrew Bartlett wrote:
> > On Wed, 2007-06-06 at 22:40 +0200, Thierry Lacoste wrote:
> > > I have a samba PDC with a master openldap server
> > > and a samba BDC with a slave openldap server.
> > > Replication is done with slurpd with a TLS connection
> > > and the slave ldap server has an updateref pointing
> > > to the master (I don't use ldaps).
> > >
> > > On each domain controller my smb.conf contains:
> > > passdb backend = ldapsam:ldap://localhost
> > >
> > > Now I'd like my ldap servers to reject non TLS connections
> > > except on the loopback interface (to avoid unnecessary
> > > encryption).
> > >
> > > Is it possible to configure my BDC so that TLS is used when
> > > chasing the referal but connections to its passdb backend
> > > are not encrypted?
> >
> > Perhaps if the referrals were given as an LDAPS URL in the server?  In
> > terms of localhost allowing cleartext, perhaps use ldapi://, which is by
> > definition local only.
> >
> > Andrew Bartlett
> Apparently everything is working as I want but I'd like to understand
> the magic behind.
> On both servers, my very first ACL in slpad.conf is:
> # first, make sure TLS or localhost
> access to *
>         by tls_ssf=1 none break
>         by peername.ip="" none break
>         by * none
> so cleartext sessions are indeed rejected except on the loopback.
> On the slave I have
> updateref   ldap://my.master.ldap.server
> On both servers my smb.conf contains:
>   passdb backend = ldapsam:ldap://
> BTW if I use localhost instead of, ldap connections are rejected.
> When I shutdown the PDC, logon to a windows client and update my password
> I get a "domain unavailable error" as expected.
> When I restart the master and do it again, evrything is OK.
> Therefore I guess the referal is chased and TLS is used, or did I miss
> something?
> It's working great but I can't find a satisfactory explanation on how.
> Can someone shed some light on what's happening?

From man smb.conf:

      ldap ssl (G)
              This  option  is  used to define whether or not Samba should use
              SSL when connecting to the ldap server This is  NOT  related  to
              Samba's  previous  SSL  support  which was enabled by specifying
              the--with-ssl option to the configure script.

              The ldap ssl can be set to one of three values:

              o  Off = Never use SSL when querying the directory.

              o  Start_tls  =  Use  the  LDAPv3  StartTLS  extended  operation
                 (RFC2830) for communicating with the directory server.

              o  On  =  Use  SSL  on  the  ldaps port when contacting the ldap
                 server.  Only  available  when   the   backwards-compatiblity
                 --with-ldapsam  option  is specified to configure. See passdb

              Default: ldap ssl = start_tls

I have two questions about start_tls:

1) does it apply on the loopback when
passdb backend = ldapsam:ldap://
2) does it apply when chasing referals?

If the answers are respectively no and yes I think I have the explanation
I was looking for.


More information about the samba mailing list