[Samba] Samba OpenLDAP TLS

[Willy Offermans]

Dear Michael and Samba friends,

On Fri, Dec 31, 2010 at 11:50:49PM +0200, Michael Wood wrote:
> Hi
> 
> On 30 December 2010 14:35, Willy Offermans <Willy at offermans.rompen.nl> wrote:
> > Dear Samba friends,
> >
> > I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with
> > openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in
> > slapd.conf and want to enforce the clients to connect and show a
> > valid certificate to the ldap server. As far as I have understood, Samba
> > will act as a client as well and in order to access the ldap server it will
> > need a client certificate as well. I do know how to generate a client
> > certificate, but I do not know where to tell samba to use this
> > client certificate. Is this supported by Samba or do I need to lower the
> > constraints regarding the TLSVerifyClient? Maybe to ``TLSVerifyClient try''?
> 
> Just a guess, but have you tried the TLS_CERT and TLS_KEY options from
> the LDAP client config?  They're listed in ldap.conf(5) as "user-only
> options", so should be specified in $HOME/.ldaprc or ldaprc in the
> current directory.  Not sure where $HOME or the current directory are
> for Samba, though, but perhaps that will point you in the right
> direction.
> 
> Hope that helps.
> 
> -- 

Thanks for your answer!

I guess $HOME is the home directory of root in this case, but I'm not sure
yet. I have created the following file:

/root/ldaprc

with the following content:

<snip>
#
# User specific LDAP settings
#

# Override global directive (if set)
TLS_REQCERT demand

# client authentication
TLS_CERT /root/certs/root.pem
TLS_KEY /root/certs/keys/root.key
</snip>

It helped me to work with ldapadd -ZZ ... commands from the command prompt.

I hope that samba works in a similar way, meaning that it will make use of
/root/ldaprc to show its client certificate. I have not yet tested samba,
because I'm still setting up this server and I was distracted by the
installation of other programs.

If somebody has already experienced that /root/ldaprc will not work for samba, 
then please give me a hint on how to setup this correctly.


-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,

Willy

*************************************
W.K. Offermans
Home:   +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: Willy at Offermans.Rompen.nl

                                       Powered by ....

                                            (__)
                                         \\\'',)
                                           \/  \ ^
                                           .\._/_)

                                       www.FreeBSD.org