samba - Dec 2010 - Samba OpenLDAP TLS

Dear Samba friends,

I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with
openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in
slapd.conf and want to enforce the clients to connect and show a
valid certificate to the ldap server. As far as I have understood, Samba
will act as a client as well and in order to access the ldap server it will
need a client certificate as well. I do know how to generate a client
certificate, but I do not know where to tell samba to use this
client certificate. Is this supported by Samba or do I need to lower the
constraints regarding the TLSVerifyClient? Maybe to ``TLSVerifyClient
try''?

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,

Willy

*************************************
W.K. Offermans
Home:   +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: Willy at Offermans.Rompen.nl

                                       Powered by ....

                                            (__)
                                         \\\'',)
                                           \/  \ ^
                                           .\._/_)

                                       www.FreeBSD.org

Hi

On 30 December 2010 14:35, Willy Offermans <Willy at offermans.rompen.nl>
wrote:
> Dear Samba friends,
>
> I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with
> openldap-sasl-server-2.4. I have specified ``TLSVerifyClient
demand'' in
> slapd.conf and want to enforce the clients to connect and show a
> valid certificate to the ldap server. As far as I have understood, Samba
> will act as a client as well and in order to access the ldap server it will
> need a client certificate as well. I do know how to generate a client
> certificate, but I do not know where to tell samba to use this
> client certificate. Is this supported by Samba or do I need to lower the
> constraints regarding the TLSVerifyClient? Maybe to ``TLSVerifyClient
try''?
Just a guess, but have you tried the TLS_CERT and TLS_KEY options from
the LDAP client config?  They're listed in ldap.conf(5) as "user-only
options", so should be specified in $HOME/.ldaprc or ldaprc in the
current directory.  Not sure where $HOME or the current directory are
for Samba, though, but perhaps that will point you in the right
direction.

Hope that helps.

-- 
Michael Wood <esiotrot at gmail.com>