On Fri, 8 Jan 2016, Graham Allan wrote: > Replying to my own message here, but I continue to investigate my problem and > can't explain what I see. I put together a small test program to connect to > our ldap server using same parameters as smbd. Setting "ldap debug level = 1" > in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the > smbd output complaining of certificate signature failure. > > smbd output: ... > > [LDAP] TLS certificate verification: depth: 0, err: 7, subject: > > /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street > > SE/O=University of Minnesota/OU=School of Physics and > > Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann > > Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA > > [LDAP] TLS certificate verification: Error, certificate signature failure
Some certs verify, another doesn't: so what's different about that cert? Different signature hash algorithm, sha256 perhaps? ... > But my test program on same machine gives: ... > > TLS certificate verification: depth: 0, err: 0, subject: > > /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street > > SE/O=University of Minnesota/OU=School of Physics and > > Astronomy/CN=ldap.spa.umn.edu, issuer: /C=US/ST=MI/L=Ann > > Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA ... > Same certificate chain, but one case verifies and the other doesn't... > > I also stepped through smbd with gdb and verified that the parameters to > ldap_simple_bind_s are the same as my test case. > > Wonder if anyone can venture a guess how this might occur? Are smbd and your test program linked against the same libldap version and openssl version? Philip Guenther
