[Samba] Enabling LDAPS in Samba in a dual-DC setup

Marco Gaiarin gaio at sv.lnf.it
Fri Apr 5 12:21:38 UTC 2019

Mandi! Stephen via samba
  In chel di` si favelave...


> 1) Since I have a dual DC setup do I need to manually enable tls for LDAPS
> separately on the secondary DC, or will this be automatically detected from
> the primary and the settings copied over automatically?

Settings are in smb.conf, and i doubt certs config can reside on LDAP
because... a cert config would be necessary to access LDAP. Classical
bootstrap problem.
So, i suppose, for every DC.

> 3) What will happen in 700 days time when the self-certified certificate
> initially created by Samba on its first execution expires? Will everything
> just suddenly stop working suddenly and authentication in Redmine come
> grinding to a halt? How should I remedy this?

I think all is governed by 'libldap', so probably you can simply put:


in /etc/ldap/ldap.conf (in debian based distro) and simply skip cert

> 2) How do I go about creating a dedicated user account that can be used with
> third-party services (in this case redmine) to access AD via LDAPS to
> retrieve user login credentials securely? For the avoidance of confusion
> here I understand the processes used to create a basic AD account. What I am
> specifically interested in is the particular combination of privileges or
> permissions i would need to set on a basic account to allow LDAPS access
> using this account. I believe I will need to create such an account to use
> with redmine since I have read that anonymous LDAPS access is not possible
> with AD.

Good point. I've looked also i for some hint, but lead to nothing.

For now, i've created a specific OU for that users, create a group and
remove 'Domain Users' group for that users; also, i've no rfc2307 data
for that user.

dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list