[Samba] Enabling LDAPS in Samba in a dual-DC setup
Stephen
stephen at ogdenradar.com
Fri Apr 5 11:13:46 UTC 2019
Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a
backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian.
I would now like to enable LDAPS so my users can authenticate in other
non Samba services using Active Directory. From reading the
documentation here:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
I understand that for the most basic LDAPS setup using the pre-existing
self-signed certificate I need only add the following lines to my
smb.conf to enable this:
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
My questions related to this are:
1) Since I have a dual DC setup do I need to manually enable tls for
LDAPS separately on the secondary DC, or will this be automatically
detected from the primary and the settings copied over automatically?
2) How do I go about creating a dedicated user account that can be used
with third-party services (in this case redmine) to access AD via LDAPS
to retrieve user login credentials securely? For the avoidance of
confusion here I understand the processes used to create a basic AD
account. What I am specifically interested in is the particular
combination of privileges or permissions i would need to set on a basic
account to allow LDAPS access using this account. I believe I will need
to create such an account to use with redmine since I have read that
anonymous LDAPS access is not possible with AD.
3) What will happen in 700 days time when the self-certified certificate
initially created by Samba on its first execution expires? Will
everything just suddenly stop working suddenly and authentication in
Redmine come grinding to a halt? How should I remedy this?
Thanks
Stephen Ellwood
More information about the samba
mailing list