[Date Prev][Date Next] [Chronological] [Thread] [Top]

Samba 3.0.1 and OpenLDAP 2.2.4 with TLS

To: openldap-software@OpenLDAP.org
Subject: Samba 3.0.1 and OpenLDAP 2.2.4 with TLS
From: Martin Ritchie <martin.ritchie@kelvininstitute.com>
Date: Fri, 30 Jan 2004 16:26:26 +0000
Organization: Kelvin Institute
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

Hi all I know this may be more a Samba question but I'm hoping this is something someone else has done.

I've been searching the lists and web for an answer but i'm stumped hope some one here has an answer for me. As I'm new to this sysadmin role. I have set up OpenLDAP to authenticate our linux users and exim MTAs. This all works fine with OpenLDAP only providing a ldaps:/// connection on 636.

However I cannot for the life of me get samba to speak tls to it. I've seen numerous suggestions of simply putting

ldap ssl = start_tls or
ldap ssl = on

in the smb.conf file but neither do the trick my dev platform that doesn't use tls works fine. However I get the following responses from the above two options.

with start_tls I get a not supported option [root@ki-14 source]# smbpasswd ritchiem New SMB password: Retype new SMB password: Failed to issue the StartTLS instruction: Not Supported Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not Supported) Failed to issue the StartTLS instruction: Not Supported Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Not Supported) Failed to find entry for user ritchiem. Failed to modify password entry for user ritchiem


and with ldap ssl = on , the conection just dies

[root@ki-14 source]# smbpasswd ritchiem New SMB password: Retype new SMB password: failed to bind to server with dn= cn=Manager,dc=kelvininstitute,dc=com Error: Can't contact LDAP server (unknown) Connection to LDAP Server failed for the 1 try! Broken pipe

Now I'm guessing that the reason I get "Not Supported" from the start_tls is that my backeddb is a ldapam with a ldaps url and so all comms should be secure. However when running strace over the above command the reason that I get a broken pipe with ssl = on is that it is trying to send the dn= cn=Manager,dc=kelvininstitute,dc=com and password as plain text.

One final thing about the smb.conf file. Is the ldap port information actually used as when running testparm it doesn't show up in the output and the port to connect on seems to be determined by the backend passdb uri; either ldap for 386 or ldaps for 636. Is this so or am I missing a trick?

Any suggestions on how to make this go?

tia

--
Martin Ritchie

the Kelvin Institute
50, George Street
Glasgow
Scotland, UK
G1 1QE

www.kelvininstitute.com
+44 (0) 141 548 5719
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

--
Martin Ritchie

the Kelvin Institute
50, George Street
Glasgow
Scotland, UK
G1 1QE

www.kelvininstitute.com
+44 (0) 141 548 5719

Follow-Ups:
- Re: Samba 3.0.1 and OpenLDAP 2.2.4 with TLS
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: Samba 3.0.1 and OpenLDAP 2.2.4 with TLS
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Re: slapd became really really slow
Next by Date: Re: Too many candidates on ldapsearch
Index(es):
- Chronological
- Thread