[Samba] Enabling LDAPS in Samba in a dual-DC setup
Marco Gaiarin
gaio at sv.lnf.it
Fri Apr 5 12:21:38 UTC 2019
Mandi! Stephen via samba
In chel di` si favelave...
AFAIK.
> 1) Since I have a dual DC setup do I need to manually enable tls for LDAPS
> separately on the secondary DC, or will this be automatically detected from
> the primary and the settings copied over automatically?
Settings are in smb.conf, and i doubt certs config can reside on LDAP
because... a cert config would be necessary to access LDAP. Classical
bootstrap problem.
So, i suppose, for every DC.
> 3) What will happen in 700 days time when the self-certified certificate
> initially created by Samba on its first execution expires? Will everything
> just suddenly stop working suddenly and authentication in Redmine come
> grinding to a halt? How should I remedy this?
I think all is governed by 'libldap', so probably you can simply put:
TLS_REQCERT never
in /etc/ldap/ldap.conf (in debian based distro) and simply skip cert
verification.
> 2) How do I go about creating a dedicated user account that can be used with
> third-party services (in this case redmine) to access AD via LDAPS to
> retrieve user login credentials securely? For the avoidance of confusion
> here I understand the processes used to create a basic AD account. What I am
> specifically interested in is the particular combination of privileges or
> permissions i would need to set on a basic account to allow LDAPS access
> using this account. I believe I will need to create such an account to use
> with redmine since I have read that anonymous LDAPS access is not possible
> with AD.
Good point. I've looked also i for some hint, but lead to nothing.
For now, i've created a specific OU for that users, create a group and
remove 'Domain Users' group for that users; also, i've no rfc2307 data
for that user.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list