On Wed, 2002-07-03 at 15:32, Jeff Mandel wrote: > Does samba support tls only?
no, the pam_ldap supports tls, ssl and unencrypted connections and either ssl or tls is the default these days, I can't remember which. > I am trying to get the 2.2.5 version of samba to work with ldap and > ssl/tls on solaris 8 with iPlanet's Directory 5.x.. > I can successfully compile and run nss_ldap and pam_ldap over ssl, but > those are compiled against the mozilla ldapsdk. This might be your problem. The LDAP code has only been tested (well, by me) compiling against and connecting to and OpenLDAP server. > It seems that the samba code only supports TLS, and the mozilla sdk only > supports ssl. Please correct me if I'm wrong here. > I can build against both Solaris and mozilla sdk ldap libraries and > connect fine in the clear, but setting up ssl fails when I attempt to > update an ldap password using smbpasswd with: "Secure connection not > supported by LDAP client libraries" So it would seem I need to build > against openldap. Yes, that's the recommended way to build it. > So I built openldap with openssl and tls for starters. I thought I might > then be able to build samba against the openldap libraries and get > client TLS support. Please let me know if I should give up now. I know nothing of iPlanet, is it LDAPv3 or v2? StartTLS is only supported in v3. > For any of you who have compiled against openldap and openssl, I'm > wondering if you can help with a problem I'm having getting a TLS > connection to my iplanet (v5.x)directory. I'm just starting with a basic > ldapsearch -Z and being rejected for unknown certificate: > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 19, subject: > /C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA, issuer: > /C=US/ST=OR/L=Eugene/O=Probes/OU=Roles/CN=Molecular Probes CA > TLS certificate verification: Error, self signed certificate in > certificate chain > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (91) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed And after all that it looks like this is really where the problem lies: Samba is NOT happy with a self-signed cert, apparently . . . (well, OpenSSL isn't happy) I know there is some way to tell it to "shutup and connect already" but I can't remember ATM. --Shahms
