Please see BUG #3196 (Build samba with Solaris ldap library). Proposed patch for Samba-3.0.21b. Add some features: * Allow SSL support when build with Solaris ldap library * Remove smb.conf parameter 'ldap timeout' * New smb.conf parameter 'ldap operation timeout'. It replace old parameter 'ldap timeout' and also used for set up LDAP_OPT_TIMELIMIT. * New smb.conf parameter 'ldap connection timeout'. Used for set up LDAP_X_OPT_CONNECT_TIMEOUT. Tested with Solaris 9/04 + Sun One Directory Server 5.2. Quck howto for Solaris ldap library ssl client: # cd /usr/local/etc/samba # certutil -N -d . # certutil -A -n "MTS Komi Ca" -t "CT,," -d . -a -i ca.crt # certutil -L -d . Certificate Name Trust Attributes MTS Komi Ca CT,, p Valid peer P Trusted peer (implies p) c Valid CA T Trusted CA to issue client certs (implies c) C Trusted CA to certs(only server certs for ssl) (implies c) u User cert w Send warning # ./testparm -v|grep ldap ... Server role: ROLE_DOMAIN_PDC ... passdb backend = "ldapsam:ldaps://sandra.komi.mts.ru simona.komi.mts.ru" ldap admin dn = cn=samba,dc=komi,dc=mts,dc=ru ldap cert db = /usr/local/etc/samba/cert7.db ldap suffix = dc=komi,dc=nw,dc=mts,dc=ru ldap connection timeout = 1 ldap operation timeout = 15 Hint for passdb backend: * for OpenLDAP library: passdb backend = "ldapsam:ldaps://server1 ldaps://server2" * for Solaris library: passdb backend = "ldapsam:ldaps://server1 server2" # ./pdbedit -d 3 -v tiamat lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/usr/local/etc/samba/smb.conf" Processing section "[global]" Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KOMI))] Successfully setup ldapssl session with sandra.komi.mts.ru simona.komi.mts.ru:636 smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KOMI))] Successfully setup ldapssl session with sandra.komi.mts.ru simona.komi.mts.ru:636 smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server init_sam_from_ldap: Entry found for user: tiamat Unix username: tiamat NT username: tiamat Account Flags: [U ] User SID: S-1-5-21-1234567890-1234567890-1234567890-4008 Primary Group SID: S-1-5-21-1234567890-1234567890-1234567890-513 Full Name: Дейтер Александр Валериевич Home Directory: HomeDir Drive: Logon Script: Profile Path: Domain: KOMI Account desc: Ведущий специалист Workstations: Munged dial: Logon time: 0 Logoff time: Sun, 04 Dec 0468 18:30:07 MSK Kickoff time: Sun, 04 Dec 0468 18:30:07 MSK Password last set: Mon, 12 Dec 2005 09:01:54 MSK Password can change: Mon, 12 Dec 2005 09:01:54 MSK Password must change: Mon, 06 Mar 2006 09:01:54 MSK Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Directory server access log: [12/Feb/2006:16:38:50 +0300] conn=2022 op=-1 msgId=-1 - fd=42 slot=42 LDAPS connection from 10.50.1.4 to 10.50.1.7 [12/Feb/2006:16:38:50 +0300] conn=2022 op=-1 msgId=-1 - SSL 128-bit RC4 [12/Feb/2006:16:38:50 +0300] conn=2022 op=0 msgId=1 - BIND dn="cn=samba,dc=komi,dc=mts,dc=ru" method=128 version=3 Thanks s lot!
Created attachment 1724 [details] Allow SSL support when build with Solaris ldap library Patch for Samba-3.0.21b
Created attachment 1841 [details] Patch for Samba-3.0.22 Patch for Samba-3.0.22
Created attachment 2182 [details] Patch for Samba-3.0.23c Patch for Samba-3.0.23c
*** Bug 4758 has been marked as a duplicate of this bug. ***
Created attachment 3267 [details] git patch for today's 3_2_test the attached patch is a port of this Netscape LDAP SSL patch to 3.2 and it also introduces support for OpenLDAP's equivalent of Netscape's LDAP_X_OPT_CONNECT_TIMEOUT, which OpenLDAP calls LDAP_OPT_NETWORK_TIMEOUT. This patch introduces now the two more fine grained parameters: ldap connection timeout (defaults to 2 seconds) ldap operation timeout (defaults to 15 seconds, like ldap timeout in previous versions) "ldap timeout" is being removed accordingly.
(In reply to comment #4) > *** Bug 4758 has been marked as a duplicate of this bug. *** > Trying to patch 3.0.28a i get the following errors and it wont compile subsequently. Anyone got an update? bash-3.00# gpatch -p0 < patch2 patching file source/configure.in Hunk #1 succeeded at 3263 (offset 79 lines). patching file source/include/config.h.in Hunk #1 succeeded at 905 (offset 101 lines). patching file source/include/smbldap.h Hunk #1 succeeded at 220 (offset 4 lines). patching file source/lib/smbldap.c Hunk #2 succeeded at 627 (offset -2 lines). Hunk #3 succeeded at 1211 (offset 5 lines). Hunk #4 succeeded at 1241 (offset -2 lines). Hunk #5 succeeded at 1260 (offset 5 lines). Hunk #6 succeeded at 1401 (offset 9 lines). Hunk #7 succeeded at 1440 (offset 16 lines). Hunk #8 succeeded at 1476 (offset 20 lines). Hunk #9 succeeded at 1517 (offset 27 lines). patching file source/libads/ldap.c Hunk #1 succeeded at 92 (offset 6 lines). Hunk #2 succeeded at 422 (offset 98 lines). patching file source/nsswitch/winbindd_rpc.c Hunk #1 succeeded at 755 (offset 78 lines). patching file source/param/loadparm.c Hunk #1 FAILED at 234. Hunk #2 succeeded at 1184 (offset 20 lines). Hunk #4 succeeded at 1599 with fuzz 1 (offset 28 lines). Hunk #5 succeeded at 1903 with fuzz 2 (offset 62 lines). 1 out of 5 hunks FAILED -- saving rejects to file source/param/loadparm.c.rej patching file source/libads/cldap.c Hunk #1 FAILED at 193. 1 out of 1 hunk FAILED -- saving rejects to file source/libads/cldap.c.rej
I've also tried pam_smbpass from Samba-3.0.23c but it doesnt want to work with or without SSL. Looks like i'll need the new version with a new patch.
Also could someone give an example of creating a self signed certificate + db and how to configure samba to not require a client certificate at all..(which should be possible)
Björn, could you please extract the SSL support portion from your patch and attach it as a new patch? The other part already went into v3-2 as 'ldap connection timeout' meanwhile. Thanks a lot!
as long as opensolaris doesn't survive 10 minutes of work in my test environment's vmware I can't do anything here.
Maybe opensolaris will ship openldap libs soon?
*** This bug has been marked as a duplicate of bug 10143 ***