Hi Larry,
basically, you need to configure your custom CA certificate (not the
server one) as trusted. This can be done inside LAM or using TLS_CACERT.
You can also check your OS documentation how to import root certificates
as this might also help.
If you purchase a certificate then there should be no issues unless it
is a very exotic CA. Some OS do not have Let's Encrypt trusted by default.
Another way would be to use a tool like "stunnel" that provides a local
port and forwards the communication encrypted:
https://www.stunnel.org/
Best regards
Roland
Am 15.10.25 um 21:46 schrieb Larry Dillon:
Trying to get LAM to talk to Samba via ldaps
Error message:
Cannot connect to specified LDAP server. Please try again.
(-1) LDAP error, server says: Can't contact LDAP server -
error:0A000086:SSL routines::certificate verify failed (unable to get local
issuer certificate)
Wireshark says: Alert (Level: Fatal, Description: Unknown CA)
I've tried the Import from Server under General settings, which imports
fine, but never works. I feel like this should be an easy procedure, but I
can never get it to work with encryption enabled.
Common name Valid to Serial number Delete
dc5.rmc.example.edu
2027-09-14
1115614824
I tried editing the /etc/openldap/ldap.conf on the LAM server to include
what is called the cacert.pem in the documentation as referenced at:
https://www.ldap-account-manager.org/static/doc/manual/apbs03.html
cacert.pem does not exist, so I've tried the Samba generated ca.pem
and cert.pem, with a reboot between the two tries.
TLS_CACERT /etc/openldap/certs/dc5-ca.pem
#TLS_CACERT /etc/openldap/certs/dc5-cert.pem
A few years I also tried to get this to work, to no avail. I tried
manually importing the certs and CA, but never got it work.
I tried generating self-signed certs on the Samba server as outlined at:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
I also tried setting up my own CA, but didn't find much documentation and
never got that working.
I feel like I'm doing something fundamentally wrong. Would this work better
if I installed LAM on Debian or Ubuntu instead of Alma?
We'd rather use in-house certs, but should we just buy a commercial,
trusted cert? If so from whom, and what type of certs, for what uses,
including what additional names?
Should I look into setting up a CA again? If so, any pointers to a good
guide? What are most people doing?
I've installed plenty of web server SSL certs, and manually renewed Samba
certs, but I just can't get this to work.
Thanks for any help or pointers to a step-by-step procedure that anyone can
provide!
Larry
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
