[Samba] tls verify peer with custom self-signed certificate

lingpanda101 lingpanda101 at gmail.com
Tue Apr 17 15:12:45 UTC 2018


On 4/17/2018 3:56 AM, Marco Gaiarin via samba wrote:
> Mandi! lingpanda101 via samba
>    In chel di` si favelave...
>
>>      When using a custom self-signed certificate, what is the appropriate
>> value for 'tls verify peer ='?
> ...AFAIk the same for every certificates; the CA's certificates have to
> be in ''central store'', or have to be explicitly set via 'tls cafile ='.
>
> Some distro have a framework to add certificates to the central store,
> eg debian ca-certificates/ssl-cert packages:
>
> 	https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html
>
Hello Marco,

     Thank you for your comment. I tried adding to my central store but 
I'm not getting the results I expect. Further research shows I may be 
going around my issue all wrong.

I'm attempting to tighten my security settings on my DC's. Specifically 
the following commands.

  * ldap server require strong auth = no
  * tls verify peer = no_check

I have external applications such as Apache, NGINX or IIS I authenticate 
with against my DC's. If I enable 'ldap server require strong auth = 
yes'. I break authentication.  I thought I needed to configure ldaps to 
correct the issue. Reading through the list I see reference to not using 
ldaps but Kerberos





-- 
--
James



More information about the samba mailing list