Web lists-archives.com

Re: [Samba] tls verify peer with custom self-signed certificate




On 4/17/2018 3:56 AM, Marco Gaiarin via samba wrote:
Mandi! lingpanda101 via samba
   In chel di` si favelave...

     When using a custom self-signed certificate, what is the appropriate
value for 'tls verify peer ='?
...AFAIk the same for every certificates; the CA's certificates have to
be in ''central store'', or have to be explicitly set via 'tls cafile ='.

Some distro have a framework to add certificates to the central store,
eg debian ca-certificates/ssl-cert packages:

	https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html

Hello Marco,

    Thank you for your comment. I tried adding to my central store but I'm not getting the results I expect. Further research shows I may be going around my issue all wrong.

I'm attempting to tighten my security settings on my DC's. Specifically the following commands.

 * ldap server require strong auth = no
 * tls verify peer = no_check

I have external applications such as Apache, NGINX or IIS I authenticate with against my DC's. If I enable 'ldap server require strong auth = yes'. I break authentication.  I thought I needed to configure ldaps to correct the issue. Reading through the list I see reference to not using ldaps but Kerberos





--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba