[Samba] SSL Certificate
Brian Candler
b.candler at pobox.com
Sun Jan 15 12:04:07 UTC 2017
On 11/01/2017 17:14, Carlos A. P. Cunha wrote:
> ldapsearch -U USER -h ldaps://localhost -p636 -w PASS -b
> dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)' givenName
> -LLL -n -N -Z
> ldap_start_tls: Connect error (-11)
> additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
>
>
> What would be wrong?
You are trying to do two mutually-exclusive things at the same time.
(1) An ldaps:// URL means that TLS is negotiated as soon as the TCP
connection is established, before any LDAP operation takes place. This
happens on port 636.
(2) The -Z flag means "use the STARTTLS extension to the LDAP protocol
to request TLS". You only ever use this on port 389. The normal LDAP
connection is established, *then* the STARTTLS message is sent, *then*
TLS is negotiated.
The difference between ldaps (636) and ldap (389) is the same as the
different between https (443) and http (80).
To check if your Samba is listening on port 636, use:
netstat -natp | grep :636
and look for LISTEN
HTH,
Brian.
More information about the samba
mailing list