gitlab: testing of ldap-ssl-ads option

Andrew Bartlett abartlet at samba.org
Mon Jun 22 19:32:21 UTC 2020 

On Mon, 2020-06-22 at 10:42 +0200, Isaac Boukris via samba-technical
wrote:
> Hi Björn
> 
> On Mon, Jun 22, 2020 at 10:30 AM Björn Baumbach <bb at sernet.de> wrote:
> > On 6/19/20 11:57 PM, Isaac Boukris via samba-technical wrote:
> > > 
> > > My bad, it was rather easy to reproduce, it only worked in my lab
> > > because I have 'TLS_REQCERT=allow' in ldap.conf.
> > 
> > For testing purposes I typically specify the ca cert the following way:
> > 
> > LDAPTLS_CACERT=/var/lib/samba/private/tls/ca.crt ldapsearch -H ...
> 
> Yeah, that was my last attempt in MR 1402 for the ad_dc_ntvfs env (per
> some comment, fl2008r2dc uses a self-signed cert), that looks like
> working in my lab by not on gitlab yet.
> 
> btw, my assumption was that the smb.conf would be taken into effect
> for the openldap calls, but it seems not - i need to test more
> however.
> 
> $ cat st/client/client.conf |grep tls
> tls cafile = /home/admin/git/samba/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
> tls crlfile = /home/admin/git/samba/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
> tls verify peer = no_check

One of the critical tasks that we must address (in one way or another)
with the multiple LDAP stacks in Samba is the lack of consistency in
the handling of LDAP over TLS.

This, from "tls priority" perhaps best sums up documentation that
follows the Futurama line: "You are technically correct - the best kind
of correct"

   <para>This option can be set to a string describing the TLS
protocols
   to be supported in the parts of Samba that use GnuTLS, specifically
   the AD DC.
   </para>

This isn't very much use to our administrators as they don't really
know for sure what parts of our codebase use GnuTLS and how to
configure the other parts.  

Furthermore, our other options like tls verify don't even say this
much.  Even if we can't merge the stacks or options soon, we should at
least have those options point at what (eg ldap.conf) configuration to
use instead.

Likewise, ldap ssl ads should explain more which operations it applies
to (additionally note it doesn't apply to tldap and so idmap_ad as TLS
isn't implemented there yet).

This is particularly important with the renewed interest in LDAP over
SSL (often legitimate, but also often misplaced due to
misunderstandings from the pending Microsoft change).

Finally, and yes I'm a broken record, but this is why I'm passionate to
avoid us having multiple significant stacks here.  We need unification
not just for avoiding internal redundancy, but so our security-
sensitive configuration options work consistently.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list