You should set tls parameters in slapd.conf. You have tem commented in the default slapd.conf, just uncomment them. Also, you should make the tls key signature in /usr/share/ssl/certs/ (rh7.3), or wherever tls places them.They are not commented. See below.
From /etc/openldap/slapd.conf:
# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
TLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
TLSCACertificatePath /etc/ssl/openldap/
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
#TLSVerifyClient 0
Also, I'm on Mandrake so the certs are here:
[root@enigma ssl]# pwd
/usr/lib/ssl
[root@enigma ssl]# ls
certs/ lib/ misc/ mod_ssl/ openssl.cnf private/
[root@enigma ssl]#
Not that it matters to awful much where certs are kept since I am using the default self-signed cert generated by the scripts. Perhaps later I will install the one I made today and run a CA.
If you are using ldap authentification on your network for linux machines, then you should do the ldap client setting to use ssl in openldap's ldap.conf. It is on rh placed in /etc/ldap.conf, put:Yes BUT this does not work on the server itself. It must be turned off creating the nescesity of running in two modes, encrypted and unencryted. A pain in the aft quadrant. Anybody know a way around this? I sure would like to hear it.
ssl yes. Also on the same machine, as it is a client when one logs in. The ldap authentification is set by nss_ldap package on rh. then you use pam settings from that package instead of default pam settings.
Sorry, as previously stated I can only get access if ssl = off (in smb.conf) despite the settings in slapd.conf My understanding is that ldap and ldaps are set up on Mandrake such that both run on the same port. No trouble there but I sure wish I could completely eliminate the unencrypted option. It would force clients into good behaviour.Samba itself is a client, so, its setting ldap ssl = yes is required.
I guess that's it.
Being consistent, you should check that in slapd.conf you put something like this, to forbid reading of (encrypted) passwords (for the sake of cracking):
access to attrs=userPassword by self write by anonymous auth by * none
access to attrs=lmPassword by self write by anonymous auth by * none
access to attrs=ntPassword by self write by anonymous auth by * none
Done. My ACLs are good.
understanding is that communicatons for the purpose of authentication
...
Excelent! This is at least in part what I needed to hear. BTW, I put a packet sniffer on the internal interface to see if I could see anything like a clear text password or what-not slideing through during login/logout proceedures but none of what I saw was discernable. I guess that is a pluss but I still don't really know what that means about the encryption on the windows side. I guess it doesn't matter since if I enable it, the system automatically wants to encrypt it's communication with the ldap server and slapd refuses to do it locally.Yes, the kernel then firewires the communication and one can not hear anything on the net.that no encryption is required. Can anyone verify this?
Perhaps I should report this as a bug?
So if samba and ldap server are on the same computer encryption is notrequired. So, forget all that stuff about tls, it is only needed for authentication of unix machines - to be encrypted. But only authentication, nfs is still unencrypted.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
