Configuring LDAP server against Samba 4 DC

Started by stblassitude, July 10, 2019, 10:59:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 10, 2019, 10:59:23 PM
Hi,

I'm having a hard time configuring an LDAP server for my Samba 4 hosted DC. Here's what I've configured: In System > Access > Servers I've created an LDAP server:

Type: LDAP
Hostname: dc1.example.com
Port: 636
Transport: SSL
Peer CA: dc1 CA
Protocol: 3
Bind credentials: ldapbind@example.com
Search scope: Entire Subtree
Base DN: dn=example,dn=com
Authentication Containers: cn=users,dn=example,dn=com
Extended Query:
User naming attribute: sAMAccountName
Read Properties: checked
Synchronize groups: checked
Limit groups: nothing selected

The DNS works.

I've extracted the DC CA cert from the domain controller and added it to the CAs.

When I click Select on Authentication Containers, I get the popup, but without any entries.

I can query the LDAP server from the OPNsense machine with ldapsearch:

root@OPNsense:~ # echo TLS_REQCERT allow >.ldaprc
root@OPNsense:~ # ldapsearch -H ldaps://dc1.example.com-x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"

The tester only ever says "authentication failed". I found a couple of posts talking about LDAP logging, but I couldn't find it.

Any hints what I should fill into the form?
July 11, 2019, 08:00:49 PM #1
A small update: if I try to use the CA cert with ldapsearch, it doesn't work:

Code Select

$ echo LDAPRC
/tmp/ldaprc
$ cat /tmp/ldaprc
TLS_CACERT /tmp/ca.cert
# TLS_REQCERT allow
$ ldapsearch -H ldaps://dc1.example.com -x -W -D "ldapbind@example.com" -b "dc=example,dc=com" -d8 "(sAMAccountName=ldapbind)"
Enter LDAP Password:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
TLS: can't connect: SSLHandshake() failed: misc. bad certificate (-9825).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Using the same ca.cert with openldap s_connect appears to work just fine:
Code Select

$ openssl s_client -showcerts -connect dc1.example.com:636 -CAfile /tmp/ca.cert
CONNECTED(00000005)
depth=1 O = Samba Administration, OU = Samba - temporary autogenerated CA certificate, CN = DC1.example.com
verify return:1
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.example.com
verify return:1
---
Certificate chain
0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=DC1.example.com
   i:/O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=DC1.example.com
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 859F9D207D57BFC43E14F695CCAC765D588D9E95E694CB7C917F9AD8EE22D717
    Session-ID-ctx:
    Master-Key: 01573B84ED6CFCF83D6E865600EA1ECBB547674A74752CC61208DCBB33D6CBA3F01F1AFB257504EFC006838BB4E7A599
    Start Time: 1562867827
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
^C


I can't find any info on what a "misc. bad certificate" would be, so I continue to be stuck.
July 19, 2019, 11:59:55 PM #2
I'm on the same page, but don't have a solution yet...
August 12, 2019, 10:37:14 PM #3
Me too, exactly the same issue. Have been pulling my hair over this.
August 12, 2019, 11:11:17 PM #4
I believe that it boils down to certificate problems. If I run

Code Select

setenv LDAPTLS_REQCERT never
ldapsearch ...


it works as expected. I also imported the certificate chain into
Code Select
/usr/local/share/certs/ca-root-nss.crt which works for OpenSSL but not for LDAP.

Maybe the solution lies here: Samba wiki states that the cn of the certificate must be equal to the FQDN of the Samba server you are binding to. But looking at the OP that does not seem to be the issue here.

Did you add the certs additionally to
Code Select
/usr/local/share/certs/ca-root-nss.crt as described here https://docs.opnsense.org/manual/how-tos/self-signed-chain.html?
August 12, 2019, 11:30:39 PM #5
Maybe another solution lies here, a very old post indeed: https://serverfault.com/a/501815/280708
August 15, 2019, 10:51:49 AM #6
Actually setting the CA-cert explicitly also works:

Code Select

setenv TLS_CACERTDIR /path/to/ca.crt
ldapsearch -x -b "cn=users,dc=ds,dc=example,dc=com" -W -D "cn=binduser,cn=users,dc=ds,dc=example,dc=com" -H ldaps://<myldapserver> -vvv
Print
Go Up Pages1
User actions