Hi, I'm trying to convert my LDAP server into a LDAPS server to secure the users logins, but I don't know what's the procedure to do it. Someone knows any guide to do it? For now: - I've created a CA cert on the server - I've created the cert and key for the domain pdc - I've signed that cert with CA cert. - I've followed the post in samba wiki about LDAPS ( https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC). Now my quesiton is if i've to do anyting on Windows Machines to enable the LDAPS, because after enable the cert in Samba LDAP I can logon into client machine (login info is surely cached) but the RSAT tools don't works. I've tried to add the CA to trust certificates entities, but i've the same behavior. Thanks and greetings!!
2015-05-02 12:06 GMT+02:00 Daniel Carrasco Mar?n <danielmadrid19 at gmail.com>:> Hi, > > I'm trying to convert my LDAP server into a LDAPS server to secure the > users logins, but I don't know what's the procedure to do it. Someone knows > any guide to do it? > > For now: > > - I've created a CA cert on the server > - I've created the cert and key for the domain pdc > - I've signed that cert with CA cert. > - I've followed the post in samba wiki about LDAPS ( > https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC). > > Now my quesiton is if i've to do anyting on Windows Machines to enable the > LDAPS, because after enable the cert in Samba LDAP I can logon into client > machine (login info is surely cached) but the RSAT tools don't works. > > I've tried to add the CA to trust certificates entities, but i've the same > behavior. > > > Thanks and greetings!! >Hi, I've tried again to setup the ldaps because i want to encrypt the connection with an external server, and now at least works the unencrypted LDAP part. I can login in clients and i can use the RSAT tools but seems like TLS still not working. I can see samba listening that port: tcp 0 0 192.168.2.250:636 0.0.0.0:* LISTEN and i don't see any error in the log, but i can't use the TLS connection in applications like for example Horde. RSAT LDP works fine without TLS too, but with TLS give me an error trying to connect: ld = ldap_sslinit("pdc.nd.red", 636, 1); Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3); Error 81 = ldap_connect(hLdap, NULL); Server error: <empty> Error <0x51>: Fail to connect to pdc.nd.red. and the openSSL test command of the wiki works too from another server: openssl s_client -showcerts -connect pdc.nd.red:636 CONNECTED(00000003) depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN pdc.nd.red, emailAddress verify error:num=18:self signed certificate verify return:1 depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN pdc.nd.red, emailAddress verify return:1 --- Certificate chain 0 s:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress i:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress-----BEGIN CERTIFICATE----- ............... -----END CERTIFICATE----- --- Server certificate subject=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddressissuer=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress--- Acceptable client certificate CA names /O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=PDC.nd.red /O=Samba Administration/OU=Samba - temporary autogenerated certificate/CN=PDC.nd.red --- SSL handshake has read 2204 bytes and written 540 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-SHA256 Session-ID: C5D2CB3B26517A043E090CE3D17683F970D252DA6E3AB862B756F12059E595CA Session-ID-ctx: Master-Key: 03A0E5FF1612A832EC56A37A6C18391B7BDDCDC6E9A1EF8D27E13ECBF8AA73AA9FEB87C960EAD56BC842FC82B78675E5 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1434468171 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- Of course, the samba build have GNUTLS: smbd -b | grep "ENABLE_GNUTLS" ENABLE_GNUTLS What i've doing wrong?. Thanks!!
2015-06-16 17:35 GMT+02:00 Daniel Carrasco Mar?n <danielmadrid19 at gmail.com>:> 2015-05-02 12:06 GMT+02:00 Daniel Carrasco Mar?n <danielmadrid19 at gmail.com > >: > >> Hi, >> >> I'm trying to convert my LDAP server into a LDAPS server to secure the >> users logins, but I don't know what's the procedure to do it. Someone knows >> any guide to do it? >> >> For now: >> >> - I've created a CA cert on the server >> - I've created the cert and key for the domain pdc >> - I've signed that cert with CA cert. >> - I've followed the post in samba wiki about LDAPS ( >> https://wiki.samba.org/index.php/Setup_LDAPS_on_a_DC). >> >> Now my quesiton is if i've to do anyting on Windows Machines to enable >> the LDAPS, because after enable the cert in Samba LDAP I can logon into >> client machine (login info is surely cached) but the RSAT tools don't works. >> >> I've tried to add the CA to trust certificates entities, but i've the >> same behavior. >> >> >> Thanks and greetings!! >> > > Hi, > > I've tried again to setup the ldaps because i want to encrypt the > connection with an external server, and now at least works the unencrypted > LDAP part. I can login in clients and i can use the RSAT tools but seems > like TLS still not working. > > I can see samba listening that port: > tcp 0 0 192.168.2.250:636 0.0.0.0:* > LISTEN > > and i don't see any error in the log, but i can't use the TLS connection > in applications like for example Horde. > > RSAT LDP works fine without TLS too, but with TLS give me an error trying > to connect: > > ld = ldap_sslinit("pdc.nd.red", 636, 1); > Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3); > Error 81 = ldap_connect(hLdap, NULL); > Server error: <empty> > Error <0x51>: Fail to connect to pdc.nd.red. > > and the openSSL test command of the wiki works too from another server: > > openssl s_client -showcerts -connect pdc.nd.red:636 > CONNECTED(00000003) > depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN > pdc.nd.red, emailAddress > verify error:num=18:self signed certificate > verify return:1 > depth=0 C = ES, ST = Madrid, L = Madrid, O = SOME, OU = ATIC, CN > pdc.nd.red, emailAddress > verify return:1 > --- > Certificate chain > 0 s:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress> i:/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress> -----BEGIN CERTIFICATE----- > ............... > -----END CERTIFICATE----- > --- > Server certificate > subject=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress> issuer=/C=ES/ST=Madrid/L=Madrid/O=SOME/OU=ATIC/CN=pdc.nd.red/emailAddress> --- > Acceptable client certificate CA names > /O=Samba Administration/OU=Samba - temporary autogenerated > certificate/CN=PDC.nd.red > /O=Samba Administration/OU=Samba - temporary autogenerated > certificate/CN=PDC.nd.red > --- > SSL handshake has read 2204 bytes and written 540 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : DHE-RSA-AES256-SHA256 > Session-ID: > C5D2CB3B26517A043E090CE3D17683F970D252DA6E3AB862B756F12059E595CA > Session-ID-ctx: > Master-Key: > 03A0E5FF1612A832EC56A37A6C18391B7BDDCDC6E9A1EF8D27E13ECBF8AA73AA9FEB87C960EAD56BC842FC82B78675E5 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1434468171 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > > Of course, the samba build have GNUTLS: > smbd -b | grep "ENABLE_GNUTLS" > ENABLE_GNUTLS > > What i've doing wrong?. > > Thanks!! >Hi, Forget about this. Finally i've created a Certificate Authority and a self signed certificate signed with the created CA. Now i can connect using TLS at least with Python and OwnCloud. I've installed the CA in client and now even the LDP tool from RSAT is working fine with SSL activated, so i think that the server is now working perfectly. Now i'm happy :) Greetings!!