[Samba] LDAP TLS error
Praveen Ghimire
PGhimire at sundata.com.au
Tue Apr 3 05:10:33 UTC 2018
Hi,
We're seeing some TLS LDAP related issues in our Samba 4 PDC.
Slapd gives the same message with SSL turned on and off in smb.conf
slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled)
Active: active (running) since Tue 2018-04-03 14:54:38 AEST; 4min 12s ago
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: reconnecting to LDAP server...
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=mytest - Can't contact LDAP server
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: failed to bind to LDAP server ldap://mypdc.mytest: Can't contact LDAP server
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: could not connect to any LDAP server as cn=admin,dc=mytest - Can't contact LDAP server
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: failed to bind to LDAP server ldap://mypdc.mytest: Can't contact LDAP server
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: could not search LDAP server - Server is unavailable
Apr 03 14:54:38 mypdc slapd[9884]: slapd starting
Apr 03 14:54:38 mypdc slapd[9875]: ...done.
Apr 03 14:54:38 mypdc systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
I can run the ldapwhoami (with and without -d1)
ldapwhoami -H ldap:// -x -ZZ
anonymous
ldap_url_parse_ext(ldap://)
ldap_create
ldap_url_parse_ext(ldap://:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
Following is /etc/ldap/ldap.conf
BASE dc=mytest
URI ldap://mypdc.mytest
TLS_CACERT /etc/ldap/ca_certs.pem
TLS_REQCERT allow
Smb.conf
#LDAP
passdb backend = ldapsam:ldap://mypdc.mytest
ldap admin dn = cn=admin,dc=mytest
ldap suffix = dc=mytest
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap backend = ldap
ldap idmap suffix = ou=idmap
idmap config *: backend = ldap
idmap config *: range = 10000-19999
idmap config *: ldap_url = ldap://mypdc.mytest/
idmap config *: ldap_base_dn = ou=idmap,dc=mytest
idmap config *: ldap_user_dn = cn=admin,dc=mytest
ldap delete dn = yes
ldap password sync = yes
# ldap ssl = off
If I uncomment #ldap ssl = off and restart the services (smbd , nmbd and slapd) I get the same message
Regards,
Praveen Ghimire
More information about the samba
mailing list