Re: [Samba] tls verify peer with custom self-signed certificate
- Date: Tue, 17 Apr 2018 11:12:45 -0400
- From: lingpanda101 via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] tls verify peer with custom self-signed certificate
On 4/17/2018 3:56 AM, Marco Gaiarin via samba wrote:
Mandi! lingpanda101 via samba
In chel di` si favelave...
When using a custom self-signed certificate, what is the appropriate
value for 'tls verify peer ='?
...AFAIk the same for every certificates; the CA's certificates have to
be in ''central store'', or have to be explicitly set via 'tls cafile ='.
Some distro have a framework to add certificates to the central store,
eg debian ca-certificates/ssl-cert packages:
https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html
Hello Marco,
Thank you for your comment. I tried adding to my central store but
I'm not getting the results I expect. Further research shows I may be
going around my issue all wrong.
I'm attempting to tighten my security settings on my DC's. Specifically
the following commands.
* ldap server require strong auth = no
* tls verify peer = no_check
I have external applications such as Apache, NGINX or IIS I authenticate
with against my DC's. If I enable 'ldap server require strong auth =
yes'. I break authentication. I thought I needed to configure ldaps to
correct the issue. Reading through the list I see reference to not using
ldaps but Kerberos
--
--
James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba