[Samba] SSL Certificate
Vinicius Bones Silva
vbs at e-trust.com.br
Wed Jan 11 20:53:10 UTC 2017
probably ldapsearch is refusing to connect to the server because the certificate does not
match the name localhost.
Run ldapsearch again with -d2 to see the reason of the failure.
Em 11/01/2017 15:14, Carlos A. P. Cunha via samba escreveu:
> Hello!
>
> Taking advantage of the email, I tried to make an ldap query with tls and I had an error ..
>
> Version Samba 4.4.4
>
> samba-tool testparm -v --suppress-prompt|grep tls
> ldap ssl = start tls
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls crlfile =
> tls dh params file =
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls priority = NORMAL:-VERS-SSL3.0
> tls verify peer = as_strict_as_possible
>
>
> ldapsearch -U USER -h ldaps://localhost -p636 -w PASS -b
> dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)' givenName -LLL -n -N -Z
> ldap_start_tls: Connect error (-11)
> additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
>
>
> What would be wrong?
>
>
>
> Em 11-01-2017 14:39, Rowland Penny via samba escreveu:
>> On Wed, 11 Jan 2017 11:09:15 -0500
>> Matthew Daubenspeck via samba <samba at lists.samba.org> wrote:
>>
>>> I'm using a Samba4 ADDC and just noticed that the SSL that was created
>>> at install time is about to expire. Is there something Samba specific
>>> to create a new certificate, or should I manually create a new one
>>> using openssl?
>>>
>>> Thanks!
>>>
>> Have a look here:
>> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC
>>
>> Rowland
>>
>
--
Vinicius Silva
SOC
BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva
Smiley face
www.e-trust.com.br <http://www.e-trust.com.br/>
Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou
informações contidas nesta mensagem não necessariamente refletem a posição oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.
This message may contain privileged and confidential information for the use of the
intended recipients only. If you are not an intended recipient then you should not
disseminate, copy, or take any action based on its contents. If you have received this
message in error then please notify E-TRUST by sending an e-mail message to
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not
necessarily reflect the position of E-TRUST. If this message is digitally signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at
www.e-trust.com.br.
More information about the samba
mailing list