[Samba] tls verify peer with custom self-signed certificate
lingpanda101
lingpanda101 at gmail.com
Tue Apr 17 15:12:45 UTC 2018
On 4/17/2018 3:56 AM, Marco Gaiarin via samba wrote:
> Mandi! lingpanda101 via samba
> In chel di` si favelave...
>
>> When using a custom self-signed certificate, what is the appropriate
>> value for 'tls verify peer ='?
> ...AFAIk the same for every certificates; the CA's certificates have to
> be in ''central store'', or have to be explicitly set via 'tls cafile ='.
>
> Some distro have a framework to add certificates to the central store,
> eg debian ca-certificates/ssl-cert packages:
>
> https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html
>
Hello Marco,
Thank you for your comment. I tried adding to my central store but
I'm not getting the results I expect. Further research shows I may be
going around my issue all wrong.
I'm attempting to tighten my security settings on my DC's. Specifically
the following commands.
* ldap server require strong auth = no
* tls verify peer = no_check
I have external applications such as Apache, NGINX or IIS I authenticate
with against my DC's. If I enable 'ldap server require strong auth =
yes'. I break authentication. I thought I needed to configure ldaps to
correct the issue. Reading through the list I see reference to not using
ldaps but Kerberos
--
--
James
More information about the samba
mailing list