[Samba] SSL Certificate

Brian Candler b.candler at pobox.com
Sun Jan 15 12:04:07 UTC 2017

On 11/01/2017 17:14, Carlos A. P. Cunha wrote:
> ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
> dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)' givenName 
> -LLL -n -N -Z
> ldap_start_tls: Connect error (-11)
>         additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: (unknown error code)
> What would be wrong? 

You are trying to do two mutually-exclusive things at the same time.

(1) An ldaps:// URL means that TLS is negotiated as soon as the TCP 
connection is established, before any LDAP operation takes place. This 
happens on port 636.

(2) The -Z flag means "use the STARTTLS extension to the LDAP protocol 
to request TLS".  You only ever use this on port 389. The normal LDAP 
connection is established, *then* the STARTTLS message is sent, *then* 
TLS is negotiated.

The difference between ldaps (636) and ldap (389) is the same as the 
different between https (443) and http (80).

To check if your Samba is listening on port 636, use:

netstat -natp | grep :636

and look for LISTEN



More information about the samba mailing list