Web lists-archives.com

[Samba] LDAP problem




Hello Rowland,


You shouldn't use 'ldaps' and ':636', in fact you shouldn't use ':636'
at all.

OK, mini-howto coming up ;-)

The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The client is devclient.samdom.example.com

On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls

Now test with this command:

ldapsearch -D "Administrator@xxxxxxxxxxxxxxxxxx" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

Enter password when prompted
If it is working, you will get the users AD object.

Copy the AD Root certificate to the Linux box

scp /usr/local/samba/private/tls/cert.pem root@devstation:/etc/ssl/certs/member1cert.pem

Configure the /etc/openldap/ldap.conf file as follows:

HOST dc1.samdom.example.com
TLS_CACERT /etc/ssl/certs/member1cert.pem
TLS_REQCERT never

Test with the same command:

ldapsearch -D "Administrator@xxxxxxxxxxxxxxxxxx" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

You should get the same output as on the DC.

The above works for me.

Rowland







I tried the first part:


On the DC:
Configure /etc/openldap/ldap.conf as follows:
HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand
[OK]

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls
[OK]

Now test with this command:

ldapsearch -D "Administrator@xxxxxxxxxxxxxxxxxx" -b "cn=Users,dc=samdom,dc=example,dc=com" -H ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

[I got the same thing ]


ldapsearch -D "administrator@xxxxxxxxxxxxx" -b "cn=users,cn=lucas,dc=ufes,dc=br" -H ldaps://devsamba.lucas.ufes.br -w 's3nh4.s3rv3r' sAMAccountName=administrator
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)




Thank you for the help. I don't know if it is a server machine's problem. Probably I'll backup and restore it or just set the server from the beginning...



Lucas
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba