The Samba-Bugzilla – Bug 13124
StartTLS certificate verification broken in ldap ssl ads
Last modified: 2017-11-08 07:42:11 UTC
StartTLS certificate verification broken in ldap ssl ads.
- Windows domain with at least one domain controller with LDAP starttls enabled and valid SSL certificates installed for this service
- winbindd joined to the domain
- windbind configured with /etc/samba/smb.conf with the following:
ldap ssl = start_tls
ldap ssl ads = yes
client ldap sasl wrapping = plain
ldap debug level = 10
- /etc/ldap/ldap.conf (libldap-2.4) configured with the following
Steps to trigger the bug:
Start winbindd as:
windbind -F -S -d 11
winbindd will produce a message like:
[LDAP] TLS: hostname (22.214.171.124) does not match common name in certificate (mavdisk.mnsu.edu).
The problem appears to be in source3/libads/ldap.c, ldap_open() is being supplied with the LDAP server's IP address, instead of hostname.
Reversing the following change fixes this issue: