TLS and SSL with 2.2.5
Shahms E. King
shahms at shahms.com
Wed Jul 3 15:45:04 GMT 2002
On Wed, 2002-07-03 at 15:32, Jeff Mandel wrote:
> Does samba support tls only?
no, the pam_ldap supports tls, ssl and unencrypted connections
and either ssl or tls is the default these days, I can't remember which.
> I am trying to get the 2.2.5 version of samba to work with ldap and
> ssl/tls on solaris 8 with iPlanet's Directory 5.x..
> I can successfully compile and run nss_ldap and pam_ldap over ssl, but
> those are compiled against the mozilla ldapsdk.
This might be your problem. The LDAP code has only been tested (well,
by me) compiling against and connecting to and OpenLDAP server.
> It seems that the samba code only supports TLS, and the mozilla sdk only
> supports ssl. Please correct me if I'm wrong here.
> I can build against both Solaris and mozilla sdk ldap libraries and
> connect fine in the clear, but setting up ssl fails when I attempt to
> update an ldap password using smbpasswd with: "Secure connection not
> supported by LDAP client libraries" So it would seem I need to build
> against openldap.
Yes, that's the recommended way to build it.
> So I built openldap with openssl and tls for starters. I thought I might
> then be able to build samba against the openldap libraries and get
> client TLS support. Please let me know if I should give up now.
I know nothing of iPlanet, is it LDAPv3 or v2? StartTLS is only
supported in v3.
> For any of you who have compiled against openldap and openssl, I'm
> wondering if you can help with a problem I'm having getting a TLS
> connection to my iplanet (v5.x)directory. I'm just starting with a basic
> ldapsearch -Z and being rejected for unknown certificate:
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA, issuer:
> /C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And after all that it looks like this is really where the problem lies:
Samba is NOT happy with a self-signed cert, apparently . . . (well,
OpenSSL isn't happy) I know there is some way to tell it to "shutup and
connect already" but I can't remember ATM.
--Shahms
More information about the samba-technical
mailing list