[Samba] Enabling LDAPS in Samba in a dual-DC setup
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 5 11:53:19 UTC 2019
If you dont want to juse the selfsigned certs.
I can recommend:
https://hohnstaedt.de/xca/
Setup you own CA root.
Setup the certificates for the servers and deploy the Root Cert.
Now its in you hand then things expire.
Or
https://lists.samba.org/archive/samba/2019-January/220463.html
I've not tested that yet but its high on my list to test.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stephen via samba
> Verzonden: vrijdag 5 april 2019 13:14
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup
>
> Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a
> backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian.
>
> I would now like to enable LDAPS so my users can authenticate
> in other
> non Samba services using Active Directory. From reading the
> documentation here:
> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD
> APS)_on_a_Samba_AD_DC
> I understand that for the most basic LDAPS setup using the
> pre-existing
> self-signed certificate I need only add the following lines to my
> smb.conf to enable this:
>
> tls enabled = yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
>
> My questions related to this are:
>
> 1) Since I have a dual DC setup do I need to manually enable tls for
> LDAPS separately on the secondary DC, or will this be automatically
> detected from the primary and the settings copied over automatically?
>
> 2) How do I go about creating a dedicated user account that
> can be used
> with third-party services (in this case redmine) to access AD
> via LDAPS
> to retrieve user login credentials securely? For the avoidance of
> confusion here I understand the processes used to create a basic AD
> account. What I am specifically interested in is the particular
> combination of privileges or permissions i would need to set
> on a basic
> account to allow LDAPS access using this account. I believe I
> will need
> to create such an account to use with redmine since I have read that
> anonymous LDAPS access is not possible with AD.
>
> 3) What will happen in 700 days time when the self-certified
> certificate
> initially created by Samba on its first execution expires? Will
> everything just suddenly stop working suddenly and authentication in
> Redmine come grinding to a halt? How should I remedy this?
>
> Thanks
> Stephen Ellwood
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list