Bug 10143 - Mozldap C-SDK is not supported
Summary: Mozldap C-SDK is not supported
Status: ASSIGNED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: unspecified
Hardware: All All
: P5 enhancement
Target Milestone: ---
Assignee: Jura Sasek
QA Contact: Samba QA Contact
URL:
Keywords:
: 3504 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-09-16 18:47 UTC by Jura Sasek
Modified: 2014-02-20 23:11 UTC (History)
1 user (show)

See Also:

Attachments
diff agains 3.6.15 (3.6.18 only has offset in configure.in) (12.26 KB, patch)
2013-09-16 18:47 UTC, Jura Sasek 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jura Sasek 2013-09-16 18:47:06 UTC 
Created attachment 9216 [details]
diff agains 3.6.15 (3.6.18 only has offset in configure.in)

There are rfc-1823 extensions used in Samba. Even if both C-SDKs (Mozldap and OpenLDAP) is doing the mostly same some small differences can be encountered. Especially the crypro (ldap-ssl and StartTLS) support need some small improvements.

Main difference is the path to certificates and keys should be set by application on API. New smb.conf options are needed to set those paths.

added options are:

   ldap certdb dir = <dir>
   ldap keydb dir = <dir>

Default:
   ldap certdb dir = /etc/samba/private/
   ldap keydb dir = /etc/samba/private/

Also the ldap-ssl protocol (ldap connection is stated as secured directly) is supprted by the following settings in smb.conf:

   passdb backend = ldapsam:ldaps://myserv.mydom.com:632/
   ldap ssl = no # there is no "start tls" option but "ldaps" url scheme switch ssl-on
Comment 1 Jura Sasek 2013-09-16 21:55:29 UTC 
Environment variable:

NSS_STRICT_NOFORK=DISABLED; export NSS_STRICT_NOFORK

...should be set in smbd environment. Otherwise the ldap_bind_s() in session (child) smbd will fail  ...at least on Solaris   ...due of NSS/NSPR interaction with fork()  ...crypto engine is reset but stay initialized so the crypto-engine will evaluate as the keys are dis-synchronized.
Comment 2 Björn Jacke 2013-09-18 13:10:41 UTC 
*** Bug 3504 has been marked as a duplicate of this bug. ***
Comment 3 Björn Jacke 2013-09-18 13:16:58 UTC 
thanks, I'll try to have a look at this. Is this patch actually based on the patch from bug #3504 ?

If we need this NSS_STRICT_NOFORK hack - do you have some pointers where this is documented? We should code this into smbd instead of having to set things like this in the envronment then.
Comment 4 Jura Sasek 2014-02-20 23:11:15 UTC 
BJ,
I apologize for long response

(In reply to comment #3)
> thanks, I'll try to have a look at this. Is this patch actually based on the
> patch from bug #3504 ?

Yes. It is remake for Samba 3.6    ...slightly extended for key/pasphrase auth on ssldap.

> If we need this NSS_STRICT_NOFORK hack - do you have some pointers where this
> is documented? We should code this into smbd instead of having to set things
> like this in the environment then.

Yes it could be more safe but currently the Samba run under SMF(5) on Solaris so the environment variable is set in run-method.

Another unfinished is the key/pasphrase auth. My idea was to use secrets.tdb to store the pasphrase (similar to ldap passwd set by smbpasswd util.) but I am no so familiar with this interface. This feature was shown as not required so I did not finished it.