LDAP problem

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP problem

Samba - General mailing list
Hello Brian,


Sorry to my late answer, I did what you suggest previously





This error suggests a problem with your certificate. If it used to work
previously, then check it hasn't expired.

     openssl s_client -connect devsamba.lucas.ufes.br:636

copy-paste the certificate into a pem file, including begin/end lines

     openssl x509 -in mycert.pem -noout -enddate

And check your root CA cert hasn't expired:

     openssl x509 -in /usr/local/samba/private/tls/cert.pem -noout -enddate





I did the first command and I got this:

openssl s_client -connect devsamba.lucas.ufes.br:636
socket: Connection refused
connect:errno=111


Then I copy-paste the certificate and got this:

openssl x509 -in mycert.pem -noout -enddate
notAfter=Sep 26 16:56:46 2018 GMT


Then the third command:

openssl x509 -in /usr/local/samba/private/tls/cert.pem -noout -enddate
notAfter=Sep 26 16:56:46 2018 GMT


Seriously, I can't understand why I can't access it! It was perfect before, and now this...


Lucas
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

LDAP problem

Samba - General mailing list
Hello Rowland,


You shouldn't use 'ldaps' and ':636', in fact you shouldn't use ':636'
at all.

OK, mini-howto coming up ;-)

The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The client is devclient.samdom.example.com

On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls

Now test with this command:

ldapsearch -D "[hidden email]" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

Enter password when prompted
If it is working, you will get the users AD object.

Copy the AD Root certificate to the Linux box

scp /usr/local/samba/private/tls/cert.pem root@devstation:/etc/ssl/certs/member1cert.pem

Configure the /etc/openldap/ldap.conf file as follows:

HOST dc1.samdom.example.com
TLS_CACERT /etc/ssl/certs/member1cert.pem
TLS_REQCERT never

Test with the same command:

ldapsearch -D "[hidden email]" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

You should get the same output as on the DC.

The above works for me.

Rowland







I tried the first part:


On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand
[OK]

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls
[OK]

Now test with this command:

ldapsearch -D "[hidden email]" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

[I got the same thing ]


ldapsearch -D "[hidden email]" -b "cn=users,cn=lucas,dc=ufes,dc=br" -H ldaps://devsamba.lucas.ufes.br -w 's3nh4.s3rv3r' sAMAccountName=administrator
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)




Thank you for the help. I don't know if it is a server machine's problem. Probably I'll backup and restore it or just set the server from the beginning...



Lucas
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP problem

Samba - General mailing list
On Mon, 13 Feb 2017 10:15:06 +0000
Lukz Ferris via samba <[hidden email]> wrote:

> Hello Rowland,
>
>
 
I take it your ldap.conf now looks like this:

HOST devsamba.lucas.ufes.br
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

and the path to 'cert.pem' is correct for your installation
 
>
> ldapsearch -D "[hidden email]" -b
> "cn=users,cn=lucas,dc=ufes,dc=br" -H ldaps://devsamba.lucas.ufes.br
> -w 's3nh4.s3rv3r' sAMAccountName=administrator
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>

All I can say is that it works for me, both on the DC and a domain
member.

>
>
>
> Thank you for the help. I don't know if it is a server machine's
> problem. Probably I'll backup and restore it or just set the server
> from the beginning...
>

Is something else getting in the way ? a firewall or selinux etc.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP problem

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 13/02/2017 10:01, Lukz Ferris wrote:

> This error suggests a problem with your certificate. If it used to work
> previously, then check it hasn't expired.
>
>       openssl s_client -connect devsamba.lucas.ufes.br:636
>
> copy-paste the certificate into a pem file, including begin/end lines
>
>       openssl x509 -in mycert.pem -noout -enddate
>
> And check your root CA cert hasn't expired:
>
>       openssl x509 -in /usr/local/samba/private/tls/cert.pem -noout -enddate
>
>
>
>
>
> I did the first command and I got this:
>
> openssl s_client -connect devsamba.lucas.ufes.br:636
> socket: Connection refused
> connect:errno=111

Then your server is not even listening on the ldaps port, or port 636 is
being blocked. If this worked in the past, then probably something has
changed in your config.

To check whether it's a firewall problem, on the server itself check for
listening processes:

# netstat -natp | grep LISTEN

If no process is listening on port 636, then that's where your problem
is.  Go check logs etc to see why the LDAP server isn't listening.

If there *is* a process listening on port 636 (and it's not bound to a
local interface like 127.0.0.1 or ::1) then check what's blocking the
traffic in between your client and server - e.g. iptables rules.


 > Then I copy-paste the certificate and got this:

What certificate did you copy-paste?? The purpose of the "open s_client
-connect x.x.x.x:636" command was to connect and find out what
certificate the server was sending to you.  But you didn't establish the
connection, so there was no certificate to check.

Regards,

Brian.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba