samba - Dec 2016 - ldaps:// referrals from DC

I'm not an LDAP expert and I need an help to understand the following
situation.

I'm configuring a web LDAP addressbook (roundcube) against a Samba 4.4
DC to use simple binds over ldaps://.

My troubles with Samba 4 DC start when the server response contains a
referral with ldap:// URI scheme.  The client fails without messages to
error logs.

This does not happen against a Windows Server 2012 implementation, that
answers with ldaps:// URI scheme.

As workaround I could configure STARTTLS and bind over ldap:// scheme,
or disable referrals on the client side ...but a question remain: is
the Samba DC response "correct"? I'd expect both AD
implementations do
the same.


This is an ldapsearch command output against Samba DC:

   ldapsearch -D 'davidep at neth.eu' -w '*****' -H
ldaps://neth.eu -b dc=neth,dc=eu '(objectClass=user)'
   ...
   # search reference
   ref: ldap://neth.eu/CN=Configuration,DC=neth,DC=eu

   # search reference
   ref: ldap://neth.eu/DC=DomainDnsZones,DC=neth,DC=eu

   # search reference
   ref: ldap://neth.eu/DC=ForestDnsZones,DC=neth,DC=eu


And this is against MS DC:

   ldapsearch -D 'davidep at adnethesis.it' -w '******' -H
ldaps://192.168.*.* -b dc=adnethesis,dc=it '(objectClass=user)'
   ...
    # search reference
    ref:
ldaps://ForestDnsZones.adnethesis.it/DC=ForestDnsZones,DC=adnethesis,DC=i
     t

    # search reference
    ref:
ldaps://DomainDnsZones.adnethesis.it/DC=DomainDnsZones,DC=adnethesis,DC=i
     t

    # search reference
    ref: ldaps://adnethesis.it/CN=Configuration,DC=adnethesis,DC=it



-- 
Davide Principi

#davidep | @davideprincipi

Hello Davide,

Am 20.12.2016 um 14:46 schrieb Davide Principi via
samba:
> My troubles with Samba 4 DC start when the server response contains a
> referral with ldap:// URI scheme.  The client fails without messages to
> error logs.
> 
> As workaround I could configure STARTTLS and bind over ldap:// scheme,
> or disable referrals on the client side ...but a question remain: is
> the Samba DC response "correct"? I'd expect both AD
implementations do
> the same.
I haven't tried it, but what is wrong with STARTTLS? Right after the
connect the connection switches to TLS and authentication and data is
send encrypted to the server.


Regards,
Marc

Hi Marc,

thank you for your quick response!

On Tue, 2016-12-20 at 17:44 +0100, Marc Muehlfeld via samba
wrote:
> 
> I haven't tried it, but what is wrong with STARTTLS?
Nothing is wrong with STARTTLS (if the client supports it)! In my case
I disabled referrals chasing in roundcube, as workaround.

The reason I ask here is: MS DC gives a different response, and looks
more client-friendly than the Samba DC one. 

Should the Samba DC return "ldaps://" scheme in referral, too?

As said, I'm not an LDAP expert and don't know what is the correct
referral URI.

-- 
Davide Principi

#davidep | @davideprincipi