"Peter Nyberg" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Everything seams to work on the ldap server and when I do a ldapsearch like this: ldapsearch -H ldap://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x Everything works on both. But when I do: ldapsearch -H ldaps://l1.dbb.su.se/ -b dc=dbb,dc=su,dc=se -x It works on the ldap server without errors, but on the Samba server I get the following error: TLS certificate verification: Error, self signed certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It is my understanding that Samba 3.x works with TLS and not SSL. TLS works with ldap:/// and SSL works with ldaps:///. ldap:/// uses port 389 and ldaps:/// uses port 636. I would therefore not expect ldaps:/// to work even though I have never tried it. The thing here is that both encrypted ldap communication and unencrypted ldap communication use port 389 and ldap:///. To ensure that ldap only accepts the encrypted communication you can force the use of TLS. To do so, add the following line to your slapd.conf. security tls=1 I learnt how to configure TLS/SSL from "Building Secure Servers with Linux by Michael Bauer and the following article. http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html I have always created my own Certificate Authority instead of using self signed ceritificates. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
