[Samba] LDAP TLS error

Praveen Ghimire PGhimire at sundata.com.au
Tue Apr 3 05:10:33 UTC 2018 

Hi,

We're seeing some TLS LDAP related issues in our Samba 4 PDC.

Slapd  gives the same message with SSL turned on and off in smb.conf

slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
   Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled)
   Active: active (running) since Tue 2018-04-03 14:54:38 AEST; 4min 12s ago
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: reconnecting to LDAP server...
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=mytest - Can't contact LDAP server
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: failed to bind to LDAP server ldap://mypdc.mytest: Can't contact LDAP server
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=mytest - Can't contact LDAP server
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: failed to bind to LDAP server ldap://mypdc.mytest: Can't contact LDAP server
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: could not search LDAP server - Server is unavailable
Apr 03 14:54:38 mypdc slapd[9884]: slapd starting
Apr 03 14:54:38 mypdc slapd[9875]:    ...done.
Apr 03 14:54:38 mypdc systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).


I can run the ldapwhoami (with and without -d1)
ldapwhoami -H ldap:// -x -ZZ
anonymous

ldap_url_parse_ext(ldap://)
ldap_create
ldap_url_parse_ext(ldap://:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful

Following is /etc/ldap/ldap.conf

BASE   dc=mytest
URI    ldap://mypdc.mytest
TLS_CACERT /etc/ldap/ca_certs.pem
TLS_REQCERT allow


Smb.conf

#LDAP
  passdb backend = ldapsam:ldap://mypdc.mytest
  ldap admin dn = cn=admin,dc=mytest
  ldap suffix = dc=mytest
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config *: backend = ldap
  idmap config *: range = 10000-19999
  idmap config *: ldap_url = ldap://mypdc.mytest/
  idmap config *: ldap_base_dn = ou=idmap,dc=mytest
  idmap config *: ldap_user_dn = cn=admin,dc=mytest
  ldap delete dn = yes
  ldap password sync = yes
#  ldap ssl = off

If I uncomment #ldap ssl = off and restart the services (smbd , nmbd and slapd) I get the same message




Regards,

Praveen Ghimire

More information about the samba mailing list