https://bugzilla.novell.com/show_bug.cgi?id=730046 https://bugzilla.novell.com/show_bug.cgi?id=730046#c0 Summary: LDAP server: Samba cannot talk to LDAP over TLS Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Major Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lynn@steve-ss.com QAContact: jsrain@suse.com Found By: --- Blocker: --- Created an attachment (id=461810) --> (http://bugzilla.novell.com/attachment.cgi?id=461810) The samba config file User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.102 Safari/535.2 When using TLS between Samba and LDAP, the folowing error occurs: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: I feel that this is an important security issue and I have offered a solution. Could you also fix it for 12.1? Reproducible: Always Steps to Reproduce: 1.Using Yast throughout 2.Create root CA 3.Enter it. create and export common server certificaes 4.Make sure that your FQDN matches the CN of the certificates. 5. LDAP server - use tls - use common server certificate 6. Copy YaST-CA.pem to /srv/www/htdocs 7. ldap client check tls box and download the CA from the webserver (there ought to be a way of specifying a file here rather than have to download it from a webserver) 8 ldap client - advanced configuration - create default config 9. Samba server - Identity - PDC - Ldap settings - use ldap 10. Give root password so that other machines can join the samba created domain. Actual Results: Samba does not communicate with LDAP over tls. See error above. Expected Results: Samba connects to LDAP over a TLS connection It seems that the CA certificate is not being detected. The problem can be solved by adding: TLS_REQCERT hard TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem to /etc/openldap/ldap.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.