Bug 3504 - Allow SSL support when build with Solaris ldap library
Summary: Allow SSL support when build with Solaris ldap library
Status: RESOLVED DUPLICATE of bug 10143
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.2.0
Hardware: Other Solaris
: P3 normal
Target Milestone: ---
Assignee: Björn Jacke
QA Contact: Samba QA Contact
URL:
Keywords:
: 4758 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-02-13 00:25 UTC by Alex Deiter
Modified: 2013-09-18 13:10 UTC (History)
3 users (show)

See Also:

Attachments
Allow SSL support when build with Solaris ldap library (13.71 KB, patch)
2006-02-13 00:29 UTC, Alex Deiter 		no flags Details
Patch for Samba-3.0.22 (12.32 KB, patch)
2006-04-04 07:53 UTC, Alex Deiter 		no flags Details
Patch for Samba-3.0.23c (12.62 KB, patch)
2006-10-12 23:31 UTC, Alex Deiter 		no flags Details
git patch for today's 3_2_test (14.12 KB, patch)
2008-04-21 09:55 UTC, Björn Jacke 		no flags Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Deiter 2006-02-13 00:25:19 UTC 
Please see BUG #3196 (Build samba with Solaris ldap library).

Proposed patch for Samba-3.0.21b. Add some features:

 * Allow SSL support when build with Solaris ldap library
 * Remove smb.conf parameter 'ldap timeout' 
 * New smb.conf parameter 'ldap operation timeout'.
   It replace old parameter 'ldap timeout' and also used for set up
   LDAP_OPT_TIMELIMIT.
 * New smb.conf parameter 'ldap connection timeout'. 
   Used for set up LDAP_X_OPT_CONNECT_TIMEOUT.

Tested with Solaris 9/04 + Sun One Directory Server 5.2.

Quck howto for Solaris ldap library ssl client:

# cd /usr/local/etc/samba
# certutil -N -d .
# certutil -A -n "MTS Komi Ca" -t "CT,," -d . -a -i ca.crt
# certutil -L -d .

Certificate Name                                             Trust Attributes

MTS Komi Ca                                                  CT,,

p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certs (implies c)
C    Trusted CA to certs(only server certs for ssl) (implies c)
u    User cert
w    Send warning

# ./testparm -v|grep ldap
...
Server role: ROLE_DOMAIN_PDC
...
        passdb backend = "ldapsam:ldaps://sandra.komi.mts.ru simona.komi.mts.ru"
        ldap admin dn = cn=samba,dc=komi,dc=mts,dc=ru
        ldap cert db = /usr/local/etc/samba/cert7.db
        ldap suffix = dc=komi,dc=nw,dc=mts,dc=ru
        ldap connection timeout = 1
        ldap operation timeout = 15

Hint for passdb backend:
 * for OpenLDAP library:
 passdb backend = "ldapsam:ldaps://server1 ldaps://server2"

 * for Solaris library:
 passdb backend = "ldapsam:ldaps://server1 server2"

# ./pdbedit -d 3 -v tiamat
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/usr/local/etc/samba/smb.conf"
Processing section "[global]"
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KOMI))]
Successfully setup ldapssl session with sandra.komi.mts.ru simona.komi.mts.ru:636
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KOMI))]
Successfully setup ldapssl session with sandra.komi.mts.ru simona.komi.mts.ru:636
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
init_sam_from_ldap: Entry found for user: tiamat
Unix username:        tiamat
NT username:          tiamat
Account Flags:        [U          ]
User SID:             S-1-5-21-1234567890-1234567890-1234567890-4008
Primary Group SID:    S-1-5-21-1234567890-1234567890-1234567890-513
Full Name:            Дейтер Александр Валериевич
Home Directory:
HomeDir Drive:
Logon Script:
Profile Path:
Domain:               KOMI
Account desc:         Ведущий специалист
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sun, 04 Dec 0468 18:30:07 MSK
Kickoff time:         Sun, 04 Dec 0468 18:30:07 MSK
Password last set:    Mon, 12 Dec 2005 09:01:54 MSK
Password can change:  Mon, 12 Dec 2005 09:01:54 MSK
Password must change: Mon, 06 Mar 2006 09:01:54 MSK
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Directory server access log:
[12/Feb/2006:16:38:50 +0300] conn=2022 op=-1 msgId=-1 - fd=42 slot=42 LDAPS connection from 10.50.1.4 to 10.50.1.7
[12/Feb/2006:16:38:50 +0300] conn=2022 op=-1 msgId=-1 - SSL 128-bit RC4
[12/Feb/2006:16:38:50 +0300] conn=2022 op=0 msgId=1 - BIND dn="cn=samba,dc=komi,dc=mts,dc=ru" method=128 version=3

Thanks s lot!
Comment 1 Alex Deiter 2006-02-13 00:29:53 UTC 
Created attachment 1724 [details]
Allow SSL support when build with Solaris ldap library

Patch for Samba-3.0.21b
Comment 2 Alex Deiter 2006-04-04 07:53:05 UTC 
Created attachment 1841 [details]
Patch for Samba-3.0.22

Patch for Samba-3.0.22
Comment 3 Alex Deiter 2006-10-12 23:31:55 UTC 
Created attachment 2182 [details]
Patch for Samba-3.0.23c

Patch for Samba-3.0.23c
Comment 4 Björn Jacke 2007-08-23 04:17:18 UTC 
*** Bug 4758 has been marked as a duplicate of this bug. ***
Comment 5 Björn Jacke 2008-04-21 09:55:58 UTC 
Created attachment 3267 [details]
git patch for today's  3_2_test

the attached patch is a port of this Netscape LDAP SSL patch to 3.2 and it also introduces support for OpenLDAP's equivalent of Netscape's LDAP_X_OPT_CONNECT_TIMEOUT, which OpenLDAP calls LDAP_OPT_NETWORK_TIMEOUT.

This patch introduces now the two more fine grained parameters:

ldap connection timeout (defaults to 2 seconds)

ldap operation timeout (defaults to 15 seconds, like ldap timeout in previous versions)

"ldap timeout" is being removed accordingly.
Comment 6 David Markey 2008-04-28 09:50:28 UTC 
(In reply to comment #4)
> *** Bug 4758 has been marked as a duplicate of this bug. ***
> 

Trying to patch 3.0.28a i get the following errors and it wont compile subsequently. 

Anyone got an update?


bash-3.00# gpatch -p0  < patch2
patching file source/configure.in
Hunk #1 succeeded at 3263 (offset 79 lines).
patching file source/include/config.h.in
Hunk #1 succeeded at 905 (offset 101 lines).
patching file source/include/smbldap.h
Hunk #1 succeeded at 220 (offset 4 lines).
patching file source/lib/smbldap.c
Hunk #2 succeeded at 627 (offset -2 lines).
Hunk #3 succeeded at 1211 (offset 5 lines).
Hunk #4 succeeded at 1241 (offset -2 lines).
Hunk #5 succeeded at 1260 (offset 5 lines).
Hunk #6 succeeded at 1401 (offset 9 lines).
Hunk #7 succeeded at 1440 (offset 16 lines).
Hunk #8 succeeded at 1476 (offset 20 lines).
Hunk #9 succeeded at 1517 (offset 27 lines).
patching file source/libads/ldap.c
Hunk #1 succeeded at 92 (offset 6 lines).
Hunk #2 succeeded at 422 (offset 98 lines).
patching file source/nsswitch/winbindd_rpc.c
Hunk #1 succeeded at 755 (offset 78 lines).
patching file source/param/loadparm.c
Hunk #1 FAILED at 234.
Hunk #2 succeeded at 1184 (offset 20 lines).
Hunk #4 succeeded at 1599 with fuzz 1 (offset 28 lines).
Hunk #5 succeeded at 1903 with fuzz 2 (offset 62 lines).
1 out of 5 hunks FAILED -- saving rejects to file source/param/loadparm.c.rej
patching file source/libads/cldap.c
Hunk #1 FAILED at 193.
1 out of 1 hunk FAILED -- saving rejects to file source/libads/cldap.c.rej
Comment 7 David Markey 2008-04-28 12:58:29 UTC 
I've also tried pam_smbpass from Samba-3.0.23c but it doesnt want to work with or without SSL. Looks like i'll need the new version with a new patch.
Comment 8 David Markey 2008-04-28 13:39:35 UTC 
Also could someone give an example of creating a self signed certificate + db and how to configure samba to not require a client certificate at all..(which should be possible)
Comment 9 Karolin Seeger 2008-06-06 02:26:59 UTC 
Björn, could you please extract the SSL support portion from your patch and attach it as a new patch?

The other part already went into v3-2 as 'ldap connection timeout' meanwhile.

Thanks a lot!
Comment 10 Björn Jacke 2009-01-28 04:28:54 UTC 
as long as opensolaris doesn't survive 10 minutes of work in my test environment's vmware I can't do anything here.
Comment 11 David Markey 2009-06-08 19:37:25 UTC 
Maybe opensolaris will ship openldap libs soon?
Comment 12 Björn Jacke 2013-09-18 13:10:41 UTC 

*** This bug has been marked as a duplicate of bug 10143 ***