[Samba] samba certificates ldap problems etc. a tip..
L.P.H. van Belle
belle at bazuin.nl
Wed May 11 09:30:20 UTC 2016
Hai,
Since lots of questions these days are also about certificate i have one to share.
Here you can get a very simple windows tool to create a CA and client Certs:
https://realtimelogic.com/blog/2014/05/How-to-act-as-a-Certificate-Authority-the-Easy-Way
I have only one bug found here, when you create a wildcart cert.
Use the SECOND name for *.domain.tld and the first call it wildcard.domain.tld.
Certs are saved in : C:\Users\Username\.certmgr-db\somename here..
Now setup your created root cert for servers and pc's.
Add in /etc/ldap/ldap.conf ( minimal )
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
Setup your own "rootCA" like this.
( if not done, apt-get install ca-certificates )
mkdir -p /usr/local/share/ca-certificates/yourCArootFolder
copy your root CA cert in /usr/local/share/ca-certificates/yourCArootFolder
run : update-ca-certificates
! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command.
you should see:
update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
Now after done above your CA Cert is hashed in /etc/ssl/certs
And its added in /etc/ssl/certs/ca-certificates.crt
For windows:
Now setup a GPO to deploy the rootCa to your pc's and your good to go.
How :
https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx
and an example to add to smb.conf
tls enabled = yes
tls keyfile = /etc/ssl/local/private/proxy.key.pem
tls certfile = /etc/ssl/local/certs/proxy.cert.pem
tls cafile = /etc/ssl/certs/company-root-ca.pem
this : /etc/ssl/certs/company-root-ca.pem is a symlink created by update-ca-certificates.
This folder : /etc/ssl/local is adviced for your personal certificates.
Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs.
So create a folders
/etc/ssl/local/certs
/etc/ssl/local/private
Much easier to maintain this way.
Few other samples.
Squid ldap simple auth sample.
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=COMPANY,dc=internal,dc=domain,dc=tld" \
-D some-user-to-bind2ldap at REALM \
-W /etc/squid/private/ldap-passwordfile \
-f sAMAccountName=%s \
-H ldaps://dc2.internal.domain.tld \
-H ldaps://dc1.internal.domain.tld
^^ protect the /etc/squid/private/ldap-passwordfile file
Watch the –H and not –h. ,,
-H => URI
-h => hostname
A postfix sample (/etc/postfix/ads-aliases.cf )
server_host = ldaps://dc1.internal.domain.tld ldaps://dc2.internal.domain.tld
search_base = OU=Aliases,dc=internal,dc=domain,dc=tld
version = 3
bind_dn = CN=some-user-to-bind2ldap,OU=srv-accounts,dc=internal,dc=domain,dc=tld
bind_pw = somepassword
scope = sub
query_filter = (&(objectClass=contact)(displayName=%s))
result_attribute = displayName
Greetz,
Louis
More information about the samba
mailing list