[Samba] LDAP ssl issue on port 636

Harry Jede walk2sun at arcor.de
Sat Jun 17 11:25:38 UTC 2017 

On 13:10:56 wrote Supporter via samba:
> Hello All,
> 
> We have interesting issue.
> 
> 
> When application connect to PDC by port 389 (without ssl) everything
> works fine.
> When we try to use SSL by port 636 we have issue.
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b
> "DC=dc,DC=local"  -w pass
> output: ldap_result: Can't contact LDAP server (-1)
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b
> "DC=dc,DC=local"  -w pass -Z
> output: ldap_start_tls: Can't contact LDAP server (-1)
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> 
> ldapsearch -x -D "cn=user,ou=users,dc=dc,dc=local" -p 636 -h PDC -b
> "DC=dc,DC=local"  -w pass -ZZ
> output: ldap_start_tls: Can't contact LDAP server (-1)
All these ldapsearch commands are wrong. Instead of "-h PDC -p 636" use 
"-H ldaps://PDC/".

As your ldapsearch logs "output: ldap_start_tls:" you are using an 
unencrypted connection try on an encrypted server port (636). This must 
fail.

> openssl s_client -connect PDC:636
> 
> CONNECTED(00000003)
> ---
> Certificate chain
>   0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST
> certificate/CN=PDC.dc.local
>     i:/O=Samba Administration/OU=Samba - temporary autogenerated CA
> certificate/CN=PDC.dc.local
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> XXX
> -----END CERTIFICATE-----
> subject=/O=Samba Administration/OU=Samba - temporary autogenerated
> HOST certificate/CN=PDC.dc.local
> issuer=/O=Samba Administration/OU=Samba - temporary autogenerated CA
> certificate/CN=PDC.dc.local
> ---
> Acceptable client certificate CA names
> /O=Samba Administration/OU=Samba - temporary autogenerated CA
> certificate/CN=PDC.dc.local
> ---
> SSL handshake has read 2454 bytes and written 523 bytes
Here you see that s_client trys succesfully a "SSL handshale" *and not* 
a "TLS handshake" as you have tried with the ldapsearch command.


> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>      Protocol  : TLSv1.2
>      Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>      Session-ID: 2XXX9
>      Session-ID-ctx:
>      Master-Key: FXXX4
>      Key-Arg   : None
>      PSK identity: None
>      PSK identity hint: None
>      SRP username: None
>      Start Time: 1497693590
>      Timeout   : 300 (sec)
>      Verify return code: 21 (unable to verify the first certificate)
> ...
> 
> 
> 
> [global]
>          ...
>          ldap ssl = start tls
>          ldap ssl ads = No
>          tls cafile = tls/ca.pem
>          tls certfile = tls/cert.pem
>          tls crlfile =
>          tls dh params file =
>          tls enabled = Yes
>          tls keyfile = tls/key.pem
>          tls priority = NORMAL:-VERS-SSL3.0
>          tls verify peer = ca_and_name
> 
> Version: samba 4.6.5
> 
> 
> Best regards,
> Supporter 3eb


-- 

Regards
	Harry Jede

More information about the samba mailing list