Configuring LDAP server against Samba 4 DC

Started by stblassitude, July 10, 2019, 10:59:23 PM

Previous topic - Next topic
Hi,

I'm having a hard time configuring an LDAP server for my Samba 4 hosted DC. Here's what I've configured: In System > Access > Servers I've created an LDAP server:

Type: LDAP
Hostname: dc1.example.com
Port: 636
Transport: SSL
Peer CA: dc1 CA
Protocol: 3
Bind credentials: ldapbind@example.com
Search scope: Entire Subtree
Base DN: dn=example,dn=com
Authentication Containers: cn=users,dn=example,dn=com
Extended Query:
User naming attribute: sAMAccountName
Read Properties: checked
Synchronize groups: checked
Limit groups: nothing selected

The DNS works.

I've extracted the DC CA cert from the domain controller and added it to the CAs.

When I click Select on Authentication Containers, I get the popup, but without any entries.

I can query the LDAP server from the OPNsense machine with ldapsearch:

root@OPNsense:~ # echo TLS_REQCERT allow >.ldaprc
root@OPNsense:~ # ldapsearch -H ldaps://dc1.example.com-x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"

The tester only ever says "authentication failed". I found a couple of posts talking about LDAP logging, but I couldn't find it.

Any hints what I should fill into the form?

A small update: if I try to use the CA cert with ldapsearch, it doesn't work:


$ echo LDAPRC
/tmp/ldaprc
$ cat /tmp/ldaprc
TLS_CACERT /tmp/ca.cert
# TLS_REQCERT allow
$ ldapsearch -H ldaps://dc1.example.com -x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"
Enter LDAP Password:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Using the same ca.cert with openldap s_connect appears to work just fine:

$ openssl s_client -showcerts -connect dc1.example.com:636 -CAfile /tmp/ca.cert
CONNECTED(00000005)
depth=1 O = Samba Administration, OU = Samba - temporary autogenerated CA certificate, CN = DC1.example.com
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.example.com
verify return:1
---
Certificate chain
0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=DC1.example.com
   i:/O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=DC1.example.com
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 859F9D207D57BFC43E14F695CCAC765D588D9E95E694CB7C917F9AD8EE22D717
    Session-ID-ctx:
    Master-Key: 01573B84ED6CFCF83D6E865600EA1ECBB547674A74752CC61208DCBB33D6CBA3F01F1AFB257504EFC006838BB4E7A599
    Start Time: 1562867827
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^C


I can't find any info on what a "misc. bad certificate" would be, so I continue to be stuck.

I'm on the same page, but don't have a solution yet...

Me too, exactly the same issue. Have been pulling my hair over this.

I believe that it boils down to certificate problems. If I run


setenv LDAPTLS_REQCERT never
ldapsearch ...


it works as expected. I also imported the certificate chain into /usr/local/share/certs/ca-root-nss.crt which works for OpenSSL but not for LDAP.

Maybe the solution lies here: Samba wiki states that the cn of the certificate must be equal to the FQDN of the Samba server you are binding to. But looking at the OP that does not seem to be the issue here.

Did you add the certs additionally to /usr/local/share/certs/ca-root-nss.crt as described here https://docs.opnsense.org/manual/how-tos/self-signed-chain.html?


Actually setting the CA-cert explicitly also works:


setenv TLS_CACERTDIR /path/to/ca.crt
ldapsearch -x -b "cn=users,dc=ds,dc=example,dc=com" -W -D "cn=binduser,cn=users,dc=ds,dc=example,dc=com" -H ldaps://<myldapserver> -vvv