Ok, thanks I'll try that. I did not modify ldap.conf, cause I thought that ldap.conf is a client setting and not a server seting, I'll try that anyway. And one me thing : wha't right like this -> passdb backend = ldapsam:ldap://127.0.0.1, or like this -> ldaps://127.0.0.1:636 ?
Thanks for your time, very kind of you. 2006/10/9, Guillaume <[EMAIL PROTECTED]>:
Net Warrior a écrit : > Hi there guys, do not know if post this here or in openldap list, sorry > if I > disturb you. > > I configured samba+ldap as a PDC and byt now it's working fine, so, I > decided to put some security to the stuff. > The problem is that I coudl not make it work, here I what I've done. > > This is what netstat shows. > > tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED > tcp 0 0 :::389 :::* LISTEN > tcp 0 0 :::636 :::* LISTEN > > > in slapd.conf i have > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key > VerifyClient demand > > I created the certificate like this: > > openssl genrsa 2048 -out > server.key > openssl req -new -key server.key -out server.csr > openssl req -in server.csr -key server.key -x509 -out server.crt > > > openssl s_client -connect localhost:636 -showcerts > > CONNECTED(00000003) > --- > Certificate chain > 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd > i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd > -----BEGIN CERTIFICATE----- > the garbage > -----END CERTIFICATE----- > > > subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd > issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd > --- > No client certificate CA names sent > --- > SSL handshake has read 1115 bytes and written 468 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A > Session-ID-ctx: > Master-Key: > 6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 > > > Key-Arg : None > Start Time: 1160232704 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > > --- > closed > > > smb.conf > passdb backend = ldapsam:ldap://127.0.0.1 > Does it hae to be ldaps://127.0.0.1:636 ? > > > Is this enought to establish a secure conection? I never see , with > netstat, > 636 ESTABLISHED > > If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals > how-to's I get > for example with pdbedit -Lv or trying to login from an XP machine the > followigin in the server: > > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))] > smbldap_open_connection: connection opened > failed to bind to server ldaps://127.0.0.1:636 with > dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > Connection to LDAP server failed for the 1 try! > and on, and on. and on.. > > What am I missing? > > My clients are XP machines > > > Thanks in advance, sorry for the noise and for my very basic question. Hi I think you have a problem because you sign your certificat by yourself. Just try to put this line in you ldap.conf file.... the client config file... not the slapd.conf !! ----- TLS_REQCERT allow ----- Regards Guillaume -- Guillaume E-mail: silencer_<at>_free-4ever_<dot>_net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
