samba - Jun 2004 - Samba, LDAP und TLS

Hi List ;-)
I consider my question to be rather simple one ... nevertheless I could not 
find an answer to it up to now.
I have an OpenLDAP-server which is the user-db for an samba3-server. I want to 
use TLS for secure communication, so I created a ca for this as well as 
keys/certificates for my LDAP and samba-server. Informing the LDAP-server 
about its certificate/key is easy ... but how do I let samba know about its 
key and certificate? As far as I can see, samba doesn't use the 
client-configuration in ldap.conf and therefore cannot know about the 
key/cert defined there.
So the question is: Is samba capable of talking to the LDAP-server using a 
client-certificate?
Hope somebody knows the answer since I am currently runnig out of ideas ;-)

Thilo

hey !

Then, i managed to do samba+ldap+tls but I have no client certificate..
maybe it's will help you...
I use samba 3.0.2a with openldap 2.1.23 on debian woody

my /etc/ld.so.conf
$ cat /etc/ld.so.conf
/usr/X11R6/lib
/usr/local/openldap/lib
/usr/local/openssl/lib
# end file#

I had a very big problem.. I had a old ldap library in /usR/lib. so ldap 
compilation find this one only and not the good library which is 
in/usr/local/openldap/lib :)
so I add /usr/local/openldap/lib and /usr/local/openssl/lib in my ld.so.conf

$ ldconfig
to reload librairies

$ export CPPFLAGS =  ? -I/usr/local/openldap/include 
?I/usr/local/openssl/include ? LDFLAGS=  ?-L/usr/local/openldap/lib 
?L/usr/local/openldap/lib?
$ ./configure ?with-ldap ?prefix=/usr/local/samba ?enable-shared
$ make
$ ldd /bin/smbd
good libssl and libcrypto must be here!!!!!
$ make install

in my smb.conf i just add :
ldap ssl = start tls

restart samba

then some tests :
terminal 1 :
$ /usr/local/openldap/libexec/slapd ?h ?ldap://svrldap.tzm.fr:389? ?d127
enter the phras pass :

terminal 2 :
$ ssldump ?i lo ?host svrldap.tzm.fr and port 389?

terminal 3 :
$tethereal ?i lo ?host svrldap.tzm.fr and port 389?

try to connect on Windows 98 (I dont use Xp) with my ldap-samba user
you must see some " tls read" on the terminal 1

something like this on terminal 2:
[its just an extract]
New TCP connection #1: svrldap.tzm.fr(32790) <-> svrldap.tzm.fr(389)
1 1  0.0114 (0.0114)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  Unknown value 0x35
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1 2  0.0136 (0.0022)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]          16 5d 80 db ac 80 31 54 b7 1b f0 31 9b 8d f1 10
        cipherSuite         Unknown value 0x35
        compressionMethod                   NULL
1 3  0.0136 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0136 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.0181 (0.0044)  C>S  Handshake
      ClientKeyExchange
1 6  0.0181 (0.0000)  C>S  ChangeCipherSpec
1 7  0.0181 (0.0000)  C>S  Handshake
1 8  0.0262 (0.0080)  S>C  ChangeCipherSpec
1 9  0.0262 (0.0000)  S>C  Handshake
1 10 0.0272 (0.0010)  C>S  application_data
1 12 0.0296 (0.0024)  S>C  application_data

and something like this on terminal 3 :

0.000000 svrldap.tzm.fr -> svrldap.tzm.fr TCP 32785 > ldap [SYN] 
Seq=1477336127 Ack=0 Win=32767 Len=0
  0.000045 svrldap.tzm.fr -> svrldap.tzm.fr TCP ldap > 32785 [SYN, ACK] 
Seq=1478002505 Ack=1477336128 Win=32767 Len=0
  0.000075 svrldap.tzm.fr -> svrldap.tzm.fr TCP 32785 > ldap [ACK] 
Seq=1477336128 Ack=1478002506 Win=32767 Len=0
  0.003345 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=1 MsgType=Bind 
Request
  0.005050 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=1 MsgType=Bind Result
  0.005083 svrldap.tzm.fr -> svrldap.tzm.fr TCP 32785 > ldap [ACK] 
Seq=1477336166 Ack=1478002520 Win=32767 Len=0
  0.006036 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=2 MsgType=Search 
Request
  0.009912 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=2 MsgType=Search 
Entry
  0.010997 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=2 MsgType=Search 
Result
  0.030515 svrldap.tzm.fr -> svrldap.tzm.fr TCP 32786 > ldap [ACK] 
Seq=1472687491 Ack=1464059373 Win=32767 Len=0
  0.032474 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=1 MsgType=Extended 
Request
  0.032516 svrldap.tzm.fr -> svrldap.tzm.fr TCP ldap > 32786 [ACK] 
Seq=1464059373 Ack=1472687522 Win=32767 Len=0
  0.033563 svrldap.tzm.fr -> svrldap.tzm.fr LDAP MsgId=1 MsgType=Unknown 
message type (24)



hope it's help :D
Gabrielle
>From: El-nino <el-nino@gmx.li>
>Reply-To: el-nino@gmx.li
>To: <samba@lists.samba.org>
>Subject: [Samba] Samba, LDAP und TLS
>Date: Fri, 4 Jun 2004 15:02:34 +0200
>
>Hi List ;-)
>I consider my question to be rather simple one ... nevertheless I could not
>find an answer to it up to now.
>I have an OpenLDAP-server which is the user-db for an samba3-server. I want 
>to
>use TLS for secure communication, so I created a ca for this as well as
>keys/certificates for my LDAP and samba-server. Informing the LDAP-server
>about its certificate/key is easy ... but how do I let samba know about its
>key and certificate? As far as I can see, samba doesn't use the
>client-configuration in ldap.conf and therefore cannot know about the
>key/cert defined there.
>So the question is: Is samba capable of talking to the LDAP-server using a
>client-certificate?
>Hope somebody knows the answer since I am currently runnig out of ideas ;-)
>
>Thilo
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba
_________________________________________________________________
Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! 
http://g.msn.fr/FR1000/9493