[Samba] TLS and ldap referals

[Thierry Lacoste]

On Thursday 14 June 2007 10:17, Andrew Bartlett wrote:
> On Wed, 2007-06-06 at 22:40 +0200, Thierry Lacoste wrote:
> > I have a samba PDC with a master openldap server
> > and a samba BDC with a slave openldap server.
> > Replication is done with slurpd with a TLS connection
> > and the slave ldap server has an updateref pointing
> > to the master (I don't use ldaps).
> >
> > On each domain controller my smb.conf contains:
> > passdb backend = ldapsam:ldap://localhost
> >
> > Now I'd like my ldap servers to reject non TLS connections
> > except on the loopback interface (to avoid unnecessary
> > encryption).
> >
> > Is it possible to configure my BDC so that TLS is used when
> > chasing the referal but connections to its passdb backend
> > are not encrypted?
>
> Perhaps if the referrals were given as an LDAPS URL in the server?  In
> terms of localhost allowing cleartext, perhaps use ldapi://, which is by
> definition local only.
>
> Andrew Bartlett
Apparently everything is working as I want but I'd like to understand
the magic behind.

On both servers, my very first ACL in slpad.conf is:
# first, make sure TLS or localhost
access to *
        by tls_ssf=1 none break
        by peername.ip="127.0.0.1" none break
        by * none

so cleartext sessions are indeed rejected except on the loopback.

On the slave I have
updateref   ldap://my.master.ldap.server

On both servers my smb.conf contains:
  passdb backend = ldapsam:ldap://127.0.0.1

BTW if I use localhost instead of 127.0.0.1, ldap connections are rejected.

When I shutdown the PDC, logon to a windows client and update my password
I get a "domain unavailable error" as expected.
When I restart the master and do it again, evrything is OK.
Therefore I guess the referal is chased and TLS is used, or did I miss
something?

It's working great but I can't find a satisfactory explanation on how.
Can someone shed some light on what's happening?

Regards,
Thierry.