Hi!
I know this should be asked to the Openldap mailing list but:
I?m trying to set up a Samba/ldap environment were the Samba server is separated
from the ldap server. Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se ?x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se ?x
It works on the ldap server without errors, but on the Samba server I get the
following error:
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile
/usr/local/etc/openldap/server.pem.
I created a CA certificate called server.pem on the ldap server with FQDN as
?Common Name?. I simply copied it to the Samba server.
Both my ldap.conf looks like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST 130.237.179.25
BASE dc=dbb, dc=su, dc=se
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /usr/local/etc/openldap/server.pem
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/etc/openldap/server.pem
#tls_cacertdir /etc/ssl/certs
I?m very grateful for your answer
Peter Nyberg
Institutionen f?r Biokemi och Biofysik (DBB)
Sv.Arrhenius v?gen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679
Hi Peter,
as you can see from your logs your samba server does not like the SSL
certificate because it is self signed. If you are using self signed certificates
you must copy some data onto all clients which are going to connect to your
server
over SSL. Or as I have done you can create your own CA authority using OpenSSL
which
I think is a cleaner way to configure things, take a look at these instructions
maybe
you'll find them helpfull,
http://www.octaldream.com/~scottm/talks/ssl/opensslca.html
thanks Andy.
Hi!
I know this should be asked to the Openldap mailing list but:
I'm trying to set up a Samba/ldap environment were the Samba server is
separated
from the ldap server. Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
It works on the ldap server without errors, but on the Samba server I get the
following error:
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
As yo can see my ldap.conf contain both ssl start_tls and tls_cacertfile
/usr/local/etc/openldap/server.pem.
I created a CA certificate called server.pem on the ldap server with FQDN as
"Common Name". I simply copied it to the Samba server.
Both my ldap.conf looks like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
HOST 130.237.179.25
BASE dc=dbb, dc=su, dc=se
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /usr/local/etc/openldap/server.pem
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /usr/local/etc/openldap/server.pem
#tls_cacertdir /etc/ssl/certs
I'm very grateful for your answer
Peter Nyberg
Institutionen f?r Biokemi och Biofysik (DBB)
Sv.Arrhenius v?gen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
BBCi at http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.
Sorry if I'm misleading due to lack of experience, but a self-signed
certificate would not be likely to be accepted unless you configured the
client to accept exactly that certificate. The reason other professional
certificates work is because they are signed by a know authority, who is
already configured to be accepted. --jeffs
----Original Message Follows----
From: Peter Nyberg <Peter.Nyberg@dbb.su.se>
To: samba mailing list <samba@lists.samba.org>
Subject: [Samba] Samba Ldap tls/ssl problem
Sent: Thursday, May 27, 2004 2:23 AM
<snip>
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE
download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
"Peter Nyberg" <Peter.Nyberg@dbb.su.se> wrote in message
news:1085646235.40b5a59b7723e@wm.dbb.su.se...
Everything seams to work on the ldap server and when I do
a ldapsearch like this:
ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
Everything works on both.
But when I do:
ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x
It works on the ldap server without errors, but on the Samba server I get
the
following error:
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It is my understanding that Samba 3.x works with TLS and not SSL. TLS works
with ldap:/// and SSL works with ldaps:///. ldap:/// uses port 389 and
ldaps:/// uses port 636. I would therefore not expect ldaps:/// to work
even though I have never tried it.
The thing here is that both encrypted ldap communication and unencrypted
ldap communication use port 389 and ldap:///. To ensure that ldap only
accepts the encrypted communication you can force the use of TLS. To do so,
add the following line to your slapd.conf.
security tls=1
I learnt how to configure TLS/SSL from "Building Secure Servers with Linux
by Michael Bauer and the following article.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
I have always created my own Certificate Authority instead of using self
signed ceritificates.