thr3ads.net - samba - [Samba] LDAP TLS error [Apr 2018]

If this information is useful, please help other people find it:
Share via:

Praveen Ghimire

2018-Apr-03 05:10 UTC

[Samba] LDAP TLS error

Hi,

We're seeing some TLS LDAP related issues in our Samba 4 PDC.

Slapd  gives the same message with SSL turned on and off in smb.conf

slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access
Protocol)
   Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled)
   Active: active (running) since Tue 2018-04-03 14:54:38 AEST; 4min 12s ago
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: reconnecting to LDAP server...
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: could not connect to any LDAP
server as cn=admin,dc=mytest - Can't contact LDAP server
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: failed to bind to LDAP server
ldap://mypdc.mytest: Can't contact LDAP server
Apr 03 14:54:37 mypdc slapd[9883]: nss_ldap: reconnecting to LDAP server
(sleeping 1 seconds)...
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: could not connect to any LDAP
server as cn=admin,dc=mytest - Can't contact LDAP server
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: failed to bind to LDAP server
ldap://mypdc.mytest: Can't contact LDAP server
Apr 03 14:54:38 mypdc slapd[9883]: nss_ldap: could not search LDAP server -
Server is unavailable
Apr 03 14:54:38 mypdc slapd[9884]: slapd starting
Apr 03 14:54:38 mypdc slapd[9875]:    ...done.
Apr 03 14:54:38 mypdc systemd[1]: Started LSB: OpenLDAP standalone server
(Lightweight Directory Access Protocol).


I can run the ldapwhoami (with and without -d1)
ldapwhoami -H ldap:// -x -ZZ
anonymous

ldap_url_parse_ext(ldap://)
ldap_create
ldap_url_parse_ext(ldap://:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful

Following is /etc/ldap/ldap.conf

BASE   dc=mytest
URI    ldap://mypdc.mytest
TLS_CACERT /etc/ldap/ca_certs.pem
TLS_REQCERT allow


Smb.conf

#LDAP
  passdb backend = ldapsam:ldap://mypdc.mytest
  ldap admin dn = cn=admin,dc=mytest
  ldap suffix = dc=mytest
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap backend = ldap
  ldap idmap suffix = ou=idmap
  idmap config *: backend = ldap
  idmap config *: range = 10000-19999
  idmap config *: ldap_url = ldap://mypdc.mytest/
  idmap config *: ldap_base_dn = ou=idmap,dc=mytest
  idmap config *: ldap_user_dn = cn=admin,dc=mytest
  ldap delete dn = yes
  ldap password sync = yes
#  ldap ssl = off

If I uncomment #ldap ssl = off and restart the services (smbd , nmbd and slapd)
I get the same message




Regards,

Praveen Ghimire

Possibly Parallel Threads

Search for more maybe matching threads

samba - Apr 2018 - LDAP TLS error

[Samba] LDAP TLS error

Possibly Parallel Threads

Wisdom of the Ancients