Hi there guys, do not know if post this here or in openldap list, sorry if I disturb you. I configured samba+ldap as a PDC and byt now it's working fine, so, I decided to put some security to the stuff. The problem is that I coudl not make it work, here I what I've done. This is what netstat shows. tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED tcp 0 0 :::389 :::* LISTEN tcp 0 0 :::636 :::* LISTEN in slapd.conf i have TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key VerifyClient demand I created the certificate like this: openssl genrsa 2048 -out > server.key openssl req -new -key server.key -out server.csr openssl req -in server.csr -key server.key -x509 -out server.crt openssl s_client -connect localhost:636 -showcerts CONNECTED(00000003) --- Certificate chain 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd -----BEGIN CERTIFICATE----- the garbage -----END CERTIFICATE----- subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd --- No client certificate CA names sent --- SSL handshake has read 1115 bytes and written 468 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A Session-ID-ctx: Master-Key: 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 Key-Arg : None Start Time: 1160232704 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed smb.conf passdb backend = ldapsam:ldap://127.0.0.1 Does it hae to be ldaps://127.0.0.1:636 ? Is this enought to establish a secure conection? I never see , with netstat, 636 ESTABLISHED If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals how-to's I get for example with pdbedit -Lv or trying to login from an XP machine the followigin in the server: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))] smbldap_open_connection: connection opened failed to bind to server ldaps://127.0.0.1:636 with dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Connection to LDAP server failed for the 1 try! and on, and on. and on.. What am I missing? My clients are XP machines Thanks in advance, sorry for the noise and for my very basic question.
Net Warrior a ?crit :> Hi there guys, do not know if post this here or in openldap list, sorry > if I > disturb you. > > I configured samba+ldap as a PDC and byt now it's working fine, so, I > decided to put some security to the stuff. > The problem is that I coudl not make it work, here I what I've done. > > This is what netstat shows. > > tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED > tcp 0 0 :::389 :::* LISTEN > tcp 0 0 :::636 :::* LISTEN > > > in slapd.conf i have > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key > VerifyClient demand > > I created the certificate like this: > > openssl genrsa 2048 -out > server.key > openssl req -new -key server.key -out server.csr > openssl req -in server.csr -key server.key -x509 -out server.crt > > > openssl s_client -connect localhost:636 -showcerts > > CONNECTED(00000003) > --- > Certificate chain > 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd > i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd > -----BEGIN CERTIFICATE----- > the garbage > -----END CERTIFICATE----- > > > subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd > issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd > --- > No client certificate CA names sent > --- > SSL handshake has read 1115 bytes and written 468 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A > Session-ID-ctx: > Master-Key: > 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 > > > Key-Arg : None > Start Time: 1160232704 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > > --- > closed > > > smb.conf > passdb backend = ldapsam:ldap://127.0.0.1 > Does it hae to be ldaps://127.0.0.1:636 ? > > > Is this enought to establish a secure conection? I never see , with > netstat, > 636 ESTABLISHED > > If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals > how-to's I get > for example with pdbedit -Lv or trying to login from an XP machine the > followigin in the server: > > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))] > smbldap_open_connection: connection opened > failed to bind to server ldaps://127.0.0.1:636 with > dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > Connection to LDAP server failed for the 1 try! > and on, and on. and on.. > > What am I missing? > > My clients are XP machines > > > Thanks in advance, sorry for the noise and for my very basic question.Hi I think you have a problem because you sign your certificat by yourself. Just try to put this line in you ldap.conf file.... the client config file... not the slapd.conf !! ----- TLS_REQCERT allow ----- Regards Guillaume -- Guillaume E-mail: silencer_<at>_free-4ever_<dot>_net Blog: guillaume.free-4ever.net ---- Site: free-4ever.net