Bug 3504 - Allow SSL support when build with Solaris ldap library
Allow SSL support when build with Solaris ldap library
Status: RESOLVED DUPLICATE of bug 10143
Product: Samba 3.2
Classification: Unclassified
Component: Build environment
3.2.0
Other Solaris
: P3 normal
: ---
Assigned To: Björn Jacke
Samba QA Contact
:
: 4758 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-13 00:25 UTC by Alex Deiter
Modified: 2013-09-18 13:10 UTC (History)
3 users (show)

See Also:


Attachments
Allow SSL support when build with Solaris ldap library (13.71 KB, patch)
2006-02-13 00:29 UTC, Alex Deiter
no flags Details
Patch for Samba-3.0.22 (12.32 KB, patch)
2006-04-04 07:53 UTC, Alex Deiter
no flags Details
Patch for Samba-3.0.23c (12.62 KB, patch)
2006-10-12 23:31 UTC, Alex Deiter
no flags Details
git patch for today's 3_2_test (14.12 KB, patch)
2008-04-21 09:55 UTC, Björn Jacke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Deiter 2006-02-13 00:25:19 UTC
Please see BUG #3196 (Build samba with Solaris ldap library).

Proposed patch for Samba-3.0.21b. Add some features:

 * Allow SSL support when build with Solaris ldap library
 * Remove smb.conf parameter 'ldap timeout' 
 * New smb.conf parameter 'ldap operation timeout'.
   It replace old parameter 'ldap timeout' and also used for set up
   LDAP_OPT_TIMELIMIT.
 * New smb.conf parameter 'ldap connection timeout'. 
   Used for set up LDAP_X_OPT_CONNECT_TIMEOUT.

Tested with Solaris 9/04 + Sun One Directory Server 5.2.

Quck howto for Solaris ldap library ssl client:

# cd /usr/local/etc/samba
# certutil -N -d .
# certutil -A -n "MTS Komi Ca" -t "CT,," -d . -a -i ca.crt
# certutil -L -d .

Certificate Name                                             Trust Attributes

MTS Komi Ca                                                  CT,,

p    Valid peer
P    Trusted peer (implies p)
c    Valid CA
T    Trusted CA to issue client certs (implies c)
C    Trusted CA to certs(only server certs for ssl) (implies c)
u    User cert
w    Send warning

# ./testparm -v|grep ldap
...
Server role: ROLE_DOMAIN_PDC
...
        passdb backend = "ldapsam:ldaps://sandra.komi.mts.ru simona.komi.mts.ru"
        ldap admin dn = cn=samba,dc=komi,dc=mts,dc=ru
        ldap cert db = /usr/local/etc/samba/cert7.db
        ldap suffix = dc=komi,dc=nw,dc=mts,dc=ru
        ldap connection timeout = 1
        ldap operation timeout = 15

Hint for passdb backend:
 * for OpenLDAP library:
 passdb backend = "ldapsam:ldaps://server1 ldaps://server2"

 * for Solaris library:
 passdb backend = "ldapsam:ldaps://server1 server2"

# ./pdbedit -d 3 -v tiamat
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/usr/local/etc/samba/smb.conf"
Processing section "[global]"
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KOMI))]
Successfully setup ldapssl session with sandra.komi.mts.ru simona.komi.mts.ru:636
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=KOMI))]
Successfully setup ldapssl session with sandra.komi.mts.ru simona.komi.mts.ru:636
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
init_sam_from_ldap: Entry found for user: tiamat
Unix username:        tiamat
NT username:          tiamat
Account Flags:        [U          ]
User SID:             S-1-5-21-1234567890-1234567890-1234567890-4008
Primary Group SID:    S-1-5-21-1234567890-1234567890-1234567890-513
Full Name:            Дейтер Александр Валериевич
Home Directory:
HomeDir Drive:
Logon Script:
Profile Path:
Domain:               KOMI
Account desc:         Ведущий специалист
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sun, 04 Dec 0468 18:30:07 MSK
Kickoff time:         Sun, 04 Dec 0468 18:30:07 MSK
Password last set:    Mon, 12 Dec 2005 09:01:54 MSK
Password can change:  Mon, 12 Dec 2005 09:01:54 MSK
Password must change: Mon, 06 Mar 2006 09:01:54 MSK
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Directory server access log:
[12/Feb/2006:16:38:50 +0300] conn=2022 op=-1 msgId=-1 - fd=42 slot=42 LDAPS connection from 10.50.1.4 to 10.50.1.7
[12/Feb/2006:16:38:50 +0300] conn=2022 op=-1 msgId=-1 - SSL 128-bit RC4
[12/Feb/2006:16:38:50 +0300] conn=2022 op=0 msgId=1 - BIND dn="cn=samba,dc=komi,dc=mts,dc=ru" method=128 version=3

Thanks s lot!
Comment 1 Alex Deiter 2006-02-13 00:29:53 UTC
Created attachment 1724 [details]
Allow SSL support when build with Solaris ldap library

Patch for Samba-3.0.21b
Comment 2 Alex Deiter 2006-04-04 07:53:05 UTC
Created attachment 1841 [details]
Patch for Samba-3.0.22

Patch for Samba-3.0.22
Comment 3 Alex Deiter 2006-10-12 23:31:55 UTC
Created attachment 2182 [details]
Patch for Samba-3.0.23c

Patch for Samba-3.0.23c
Comment 4 Björn Jacke 2007-08-23 04:17:18 UTC
*** Bug 4758 has been marked as a duplicate of this bug. ***
Comment 5 Björn Jacke 2008-04-21 09:55:58 UTC
Created attachment 3267 [details]
git patch for today's  3_2_test

the attached patch is a port of this Netscape LDAP SSL patch to 3.2 and it also introduces support for OpenLDAP's equivalent of Netscape's LDAP_X_OPT_CONNECT_TIMEOUT, which OpenLDAP calls LDAP_OPT_NETWORK_TIMEOUT.

This patch introduces now the two more fine grained parameters:

ldap connection timeout (defaults to 2 seconds)

ldap operation timeout (defaults to 15 seconds, like ldap timeout in previous versions)

"ldap timeout" is being removed accordingly.
Comment 6 David Markey 2008-04-28 09:50:28 UTC
(In reply to comment #4)
> *** Bug 4758 has been marked as a duplicate of this bug. ***
> 

Trying to patch 3.0.28a i get the following errors and it wont compile subsequently. 

Anyone got an update?


bash-3.00# gpatch -p0  < patch2
patching file source/configure.in
Hunk #1 succeeded at 3263 (offset 79 lines).
patching file source/include/config.h.in
Hunk #1 succeeded at 905 (offset 101 lines).
patching file source/include/smbldap.h
Hunk #1 succeeded at 220 (offset 4 lines).
patching file source/lib/smbldap.c
Hunk #2 succeeded at 627 (offset -2 lines).
Hunk #3 succeeded at 1211 (offset 5 lines).
Hunk #4 succeeded at 1241 (offset -2 lines).
Hunk #5 succeeded at 1260 (offset 5 lines).
Hunk #6 succeeded at 1401 (offset 9 lines).
Hunk #7 succeeded at 1440 (offset 16 lines).
Hunk #8 succeeded at 1476 (offset 20 lines).
Hunk #9 succeeded at 1517 (offset 27 lines).
patching file source/libads/ldap.c
Hunk #1 succeeded at 92 (offset 6 lines).
Hunk #2 succeeded at 422 (offset 98 lines).
patching file source/nsswitch/winbindd_rpc.c
Hunk #1 succeeded at 755 (offset 78 lines).
patching file source/param/loadparm.c
Hunk #1 FAILED at 234.
Hunk #2 succeeded at 1184 (offset 20 lines).
Hunk #4 succeeded at 1599 with fuzz 1 (offset 28 lines).
Hunk #5 succeeded at 1903 with fuzz 2 (offset 62 lines).
1 out of 5 hunks FAILED -- saving rejects to file source/param/loadparm.c.rej
patching file source/libads/cldap.c
Hunk #1 FAILED at 193.
1 out of 1 hunk FAILED -- saving rejects to file source/libads/cldap.c.rej
Comment 7 David Markey 2008-04-28 12:58:29 UTC
I've also tried pam_smbpass from Samba-3.0.23c but it doesnt want to work with or without SSL. Looks like i'll need the new version with a new patch.
Comment 8 David Markey 2008-04-28 13:39:35 UTC
Also could someone give an example of creating a self signed certificate + db and how to configure samba to not require a client certificate at all..(which should be possible)
Comment 9 Karolin Seeger 2008-06-06 02:26:59 UTC
Björn, could you please extract the SSL support portion from your patch and attach it as a new patch?

The other part already went into v3-2 as 'ldap connection timeout' meanwhile.

Thanks a lot!
Comment 10 Björn Jacke 2009-01-28 04:28:54 UTC
as long as opensolaris doesn't survive 10 minutes of work in my test environment's vmware I can't do anything here.
Comment 11 David Markey 2009-06-08 19:37:25 UTC
Maybe opensolaris will ship openldap libs soon?
Comment 12 Björn Jacke 2013-09-18 13:10:41 UTC

*** This bug has been marked as a duplicate of bug 10143 ***