[Samba] LDAPS Configuration

Daniel Carrasco Marín danielmadrid19 at gmail.com
Tue Jun 16 09:35:15 MDT 2015 

2015-05-02 12:06 GMT+02:00 Daniel Carrasco Marín <danielmadrid19 at gmail.com>:

> Hi,
>
> I'm trying to convert my LDAP server into a LDAPS server to secure the
> users logins, but I don't know what's the procedure to do it. Someone knows
> any guide to do it?
>
> For now:
>
>    - I've created a CA cert on the server
>    - I've created the cert and key for the domain pdc
>    - I've signed that cert with CA cert.
>    - I've followed the post in samba wiki about LDAPS (
>    https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC).
>
> Now my quesiton is if i've to do anyting on Windows Machines to enable the
> LDAPS, because after enable the cert in Samba LDAP I can logon into client
> machine (login info is surely cached) but the RSAT tools don't works.
>
> I've tried to add the CA to trust certificates entities, but i've the same
> behavior.
>
>
> Thanks and greetings!!
>

Hi,

I've tried again to setup the ldaps because i want to encrypt the
connection with an external server, and now at least works the unencrypted
LDAP part. I can login in clients and i can use the RSAT tools but seems
like TLS still not working.

I can see samba listening that port:
tcp        0      0 192.168.2.250:636       0.0.0.0:*
LISTEN

and i don't see any error in the log, but i can't use the TLS connection in
applications like for example Horde.

RSAT LDP works fine without TLS too, but with TLS give me an error trying
to connect:

ld = ldap_sslinit("pdc.nd.red", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to pdc.nd.red.

and the openSSL test command of the wiki works too from another server:

openssl s_client -showcerts -connect pdc.nd.red:636
CONNECTED(00000003)
depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN =
pdc.nd.red, emailAddress =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN =
pdc.nd.red, emailAddress =
verify return:1
---
Certificate chain
 0 s:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
   i:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
-----BEGIN CERTIFICATE-----
...............
-----END CERTIFICATE-----
---
Server certificate
subject=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
issuer=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
---
Acceptable client certificate CA names
/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=PDC.nd.red
/O=Samba Administration/OU=Samba - temporary autogenerated
certificate/CN=PDC.nd.red
---
SSL handshake has read 2204 bytes and written 540 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-SHA256
    Session-ID:
C5D2CB3B26517A043E090CE3D17683F970D252DA6E3AB862B756F12059E595CA
    Session-ID-ctx:
    Master-Key:
03A0E5FF1612A832EC56A37A6C18391B7BDDCDC6E9A1EF8D27E13ECBF8AA73AA9FEB87C960EAD56BC842FC82B78675E5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1434468171
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Of course, the samba build have GNUTLS:
smbd -b | grep "ENABLE_GNUTLS"
   ENABLE_GNUTLS

What i've doing wrong?.

Thanks!!

More information about the samba mailing list