[Samba] LDAP ssl issue on port 636
Rowland Penny
rpenny at samba.org
Sat Jun 17 11:20:59 UTC 2017
On Sat, 17 Jun 2017 12:03:17 +0200
Supporter via samba <samba at lists.samba.org> wrote:
> Hello All,
>
> We have interesting issue.
>
>
> When application connect to PDC by port 389 (without ssl) everything
> works fine.
> When we try to use SSL by port 636 we have issue.
>
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b
> "DC=dc,DC=local" -w pass
> output: ldap_result: Can't contact LDAP server (-1)
>
> [global]
> ...
> ldap ssl = start tls
> ldap ssl ads = No
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls crlfile =
> tls dh params file =
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls priority = NORMAL:-VERS-SSL3.0
> tls verify peer = ca_and_name
>
> Version: samba 4.6.5
>
You only need this in smb.conf:
tls cafile =
tls certfile = tls/cert.pem
tls enabled = Yes
tls keyfile = tls/key.pem
Along with:
ldap server require strong auth = allow_sasl_over_tls
/etc/ldap/ldap.conf
Should contain this:
HOST pdc.dc.local
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand
If you then run this:
ldapsearch -D "cn=user,ou=users,dc=dc,dc=local" -b "DC=dc,DC=local" -H
ldaps://pdc.dc.local -w pass
should get you the users & groups, note that you use 'ldaps' instead of
the port '636'
This always supposes that your user 'user' is in the OU 'users' instead
of the CN 'users'
Rowland
More information about the samba
mailing list