Dear Michael and Samba friends, On Fri, Dec 31, 2010 at 11:50:49PM +0200, Michael Wood wrote: > Hi > > On 30 December 2010 14:35, Willy Offermans <[email protected]> wrote: > > Dear Samba friends, > > > > I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with > > openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in > > slapd.conf and want to enforce the clients to connect and show a > > valid certificate to the ldap server. As far as I have understood, Samba > > will act as a client as well and in order to access the ldap server it will > > need a client certificate as well. I do know how to generate a client > > certificate, but I do not know where to tell samba to use this > > client certificate. Is this supported by Samba or do I need to lower the > > constraints regarding the TLSVerifyClient? Maybe to ``TLSVerifyClient try''? > > Just a guess, but have you tried the TLS_CERT and TLS_KEY options from > the LDAP client config? They're listed in ldap.conf(5) as "user-only > options", so should be specified in $HOME/.ldaprc or ldaprc in the > current directory. Not sure where $HOME or the current directory are > for Samba, though, but perhaps that will point you in the right > direction. > > Hope that helps. > > --
Thanks for your answer! I guess $HOME is the home directory of root in this case, but I'm not sure yet. I have created the following file: /root/ldaprc with the following content: <snip> # # User specific LDAP settings # # Override global directive (if set) TLS_REQCERT demand # client authentication TLS_CERT /root/certs/root.pem TLS_KEY /root/certs/keys/root.key </snip> It helped me to work with ldapadd -ZZ ... commands from the command prompt. I hope that samba works in a similar way, meaning that it will make use of /root/ldaprc to show its client certificate. I have not yet tested samba, because I'm still setting up this server and I was distracted by the installation of other programs. If somebody has already experienced that /root/ldaprc will not work for samba, then please give me a hint on how to setup this correctly. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, Willy ************************************* W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: [email protected] Powered by .... (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
