[Samba] Samba / LDAP & Wildcard SSL certificate

Tue, 03 Jan 2006 13:19:08 -0800

Anyone successfully use TLS to an OpenLDAP back end using a *wildcard* SSL certificate? 

Samba 3.0.20b
OpenLDAP 2.3.12
OpenSSL 0.9.8
(these are blastwave.org CSW packages, btw)
Fresh install of Solaris 9 with very the latest patch cluster. No iPlanet or Sun DS stuff is installed. 

Here's an excerpt from my smb.conf file...
[global]
       workgroup = EXAMPLE
       netbios name = TESTBED
       security = user
       enable privileges = yes
       encrypt passwords = yes
       log file = /var/log/samba/log.smbd
       ldap passwd sync = yes
       passdb backend = ldapsam:ldap://localhost/ smbpasswd guest
       # passdb backend = ldapsam:ldaps://localhost/ smbpasswd guest
       ldap suffix = dc=example,dc=org
       ldap machine suffix = ou=People
       ldap user suffix = ou=People
       ldap group suffix = ou=Group
       ldap idmap suffix = ou=Idmap
       ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org
       ldap ssl = no
       # ldap ssl = yes
       # ldap ssl = start tls


When "ldap ssl = no" then all is well, but I've been unable to use 
either yes or start tls successfully.


If I use "ldap ssl  = start tls" I get
[2006/01/03 13:56:20.688388, 0] lib/smbldap.c:(615)
 Failed to issue the StartTLS instruction: Connect error

If I use "ldap ssl = yes" I see the following...
[2006/01/03 15:33:57.807033, 0] lib/smbldap.c:(790)

 failed to bind to server ldaps://localhost/ with 
dn="cn=samba,ou=DSA,dc=example,dc=org" Error: Can't contact LDAP server

       TLS: hostname does not match CN in peer certificate

(the CN in the cert in this case would be "*.example.org")

ldap.conf points to the proper certificate and CA:
[EMAIL PROTECTED] cat /etc/ldap.conf
HOST            localhost testbed.example.org
BASE            dc=example,dc=org
SSL             start_tls
TLS_CACERT      /usr/ssl/certs/rapidssl_01.cer
TLS_CERT        /usr/ssl/certs/example.org.crt
TLS_KEY         /usr/ssl/private/example.org.key
TLS_REQCERT     demand

and the certificate works as expected for (for instance) https.

I have also verified that TLS is working normally by using ldapsearch:

[EMAIL PROTECTED] ldapsearch -x -W -ZZ -D cn=samba,ou=dsa,dc=example,dc=org 
"(objectClass=sambaDomain)"    
Enter LDAP Password: ********

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectClass=sambaDomain)
# requesting: ALL
#

# EXAMPLE, example.org
dn: sambaDomainName=EXAMPLE,dc=example,dc=org
sambaDomainName: EXAMPLE
sambaSID: S-*-*-**-**********-*********-*********
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Any thoughts on how I might get this to work with the wildcard certificate?

Thanks!

--

Roy McMorran
Systems Administrator
MDI Biological Laboratory
[EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba














    











					Reply via email to