On Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The correct option is "start_tls", but it is the default > option, you don't need to setup this. And the key server is not > related with Samba, this option just tells samba to use SSL when > talking with the LDAP server.
I have winbind working nicely with AD here. It took a while to figure out but now AD user accounts can ssh into my Linux boxen reliably, which is really all I needed; just ssh access. But I want to make sure all the LDAP traffic is secured via TLS/SSL. On my network if I run nmap on the Win2K AD server I see that port 636 is open. So I generated a cert file on the Win2K server and converted it to a PEM file (using openssl on Linux) and placed it in /etc/openldap/cacerts and made sure it was world readable. My ldap.conf file looks like this: #----------------------------------------------------------- BASE dc=cinteractive, dc=com URI ldaps://attu.binteractive.com:636 debug 256 logdir /var/log/ldap.errors host BATTU base BINTERACTIVE.COM ssl yes TLS_CACERT /etc/openldap/cacerts/battu.pem pam_password md5 #------------------------------------------------------------ The ldap log file I set up is empty. Nothing ever gets written to it. Every time I su to root on the Linux servers I see: TLS certificate verification: Error, unable to get local issuer certificate TLS: can't connect. I'm not looking to run slapd on this server. LDAP and winbind are used only to allow users to login via ssh with their AD credentials. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba