[Samba] LDAPS Configuration

Daniel Carrasco Marín danielmadrid19 at gmail.com
Wed Jun 17 06:45:27 MDT 2015


2015-06-16 17:35 GMT+02:00 Daniel Carrasco Marín <danielmadrid19 at gmail.com>:

> 2015-05-02 12:06 GMT+02:00 Daniel Carrasco Marín <danielmadrid19 at gmail.com
> >:
>
>> Hi,
>>
>> I'm trying to convert my LDAP server into a LDAPS server to secure the
>> users logins, but I don't know what's the procedure to do it. Someone knows
>> any guide to do it?
>>
>> For now:
>>
>>    - I've created a CA cert on the server
>>    - I've created the cert and key for the domain pdc
>>    - I've signed that cert with CA cert.
>>    - I've followed the post in samba wiki about LDAPS (
>>    https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC).
>>
>> Now my quesiton is if i've to do anyting on Windows Machines to enable
>> the LDAPS, because after enable the cert in Samba LDAP I can logon into
>> client machine (login info is surely cached) but the RSAT tools don't works.
>>
>> I've tried to add the CA to trust certificates entities, but i've the
>> same behavior.
>>
>>
>> Thanks and greetings!!
>>
>
> Hi,
>
> I've tried again to setup the ldaps because i want to encrypt the
> connection with an external server, and now at least works the unencrypted
> LDAP part. I can login in clients and i can use the RSAT tools but seems
> like TLS still not working.
>
> I can see samba listening that port:
> tcp        0      0 192.168.2.250:636       0.0.0.0:*
> LISTEN
>
> and i don't see any error in the log, but i can't use the TLS connection
> in applications like for example Horde.
>
> RSAT LDP works fine without TLS too, but with TLS give me an error trying
> to connect:
>
> ld = ldap_sslinit("pdc.nd.red", 636, 1);
> Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
> Error 81 = ldap_connect(hLdap, NULL);
> Server error: <empty>
> Error <0x51>: Fail to connect to pdc.nd.red.
>
> and the openSSL test command of the wiki works too from another server:
>
> openssl s_client -showcerts -connect pdc.nd.red:636
> CONNECTED(00000003)
> depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN =
> pdc.nd.red, emailAddress =
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN =
> pdc.nd.red, emailAddress =
> verify return:1
> ---
> Certificate chain
>  0 s:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
>    i:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
> -----BEGIN CERTIFICATE-----
> ...............
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
> issuer=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress=
> ---
> Acceptable client certificate CA names
> /O=Samba Administration/OU=Samba - temporary autogenerated
> certificate/CN=PDC.nd.red
> /O=Samba Administration/OU=Samba - temporary autogenerated
> certificate/CN=PDC.nd.red
> ---
> SSL handshake has read 2204 bytes and written 540 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : DHE-RSA-AES256-SHA256
>     Session-ID:
> C5D2CB3B26517A043E090CE3D17683F970D252DA6E3AB862B756F12059E595CA
>     Session-ID-ctx:
>     Master-Key:
> 03A0E5FF1612A832EC56A37A6C18391B7BDDCDC6E9A1EF8D27E13ECBF8AA73AA9FEB87C960EAD56BC842FC82B78675E5
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1434468171
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
>
> Of course, the samba build have GNUTLS:
> smbd -b | grep "ENABLE_GNUTLS"
>    ENABLE_GNUTLS
>
> What i've doing wrong?.
>
> Thanks!!
>

Hi,

Forget about this. Finally i've created a Certificate Authority and a self
signed certificate signed with the created CA. Now i can connect using TLS
at least with Python and OwnCloud.
I've installed the CA in client and now even the LDP tool from RSAT is
working fine with SSL activated, so i think that the server is now working
perfectly.

Now i'm happy :)

Greetings!!


More information about the samba mailing list