On Fri, 8 Jan 2016, Graham Allan wrote:
Replying to my own message here, but I continue to investigate my problem and
can't explain what I see. I put together a small test program to connect to
our ldap server using same parameters as smbd. Setting "ldap debug level = 1"
in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the
smbd output complaining of certificate signature failure.
smbd output:
...
[LDAP] TLS certificate verification: depth: 0, err: 7, subject:
/C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
SE/O=University of Minnesota/OU=School of Physics and
Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann
Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
[LDAP] TLS certificate verification: Error, certificate signature failure
Some certs verify, another doesn't: so what's different about that cert?
Different signature hash algorithm, sha256 perhaps?