Novell Home

My Favorites

Close

Please to see your favorites.

novell-samba and Secure LDAP On OES Linux Without A Local Copy Of eDirectory

This document (7011753) is provided subject to the disclaimer at the end of this document.

Environment

Novell Open Enterprise Server 11 (OES 11) Linux

Situation

An OES server can be installed without a local copy of eDirectory and NCP. In this example, novell-samba, Linux User Management (LUM), and iManager were installed. When installing the services, as eDirectory was not being installed locally, the LDAP configuration (during the OES install) was pointed to a server that did contain at least a Read/Write copy of eDirectory.
 
When trying to authenticate a LUM and Samba enabled user the following was reported either on screen or in the /var/log/samba/log.smbd:
 
ERROR:   Connection to * failed (Error NT_STATUS_CONNECTION_REFUSED)
 
ERROR:   lib/smbldap.c:1225(smbldap_connect_system)failed to bind to server ldaps://srv.ip.addr.here:636 with dn="cn=custom-sambaProxy,o=novell" Error: Can't contact LDAP server error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
 
 

Resolution

There are a couple of steps that one must be aware of, if installing the system this way, in order to manage samba users (via iManager) and have ldap work over its secure port (636).
 
1.  The first thing to be aware of is that an NCP server object is not created for the new server in the existing tree. 
The other necessary objects, such as the proxy user and samba domain objects, are created in the tree. 
Using  iManager > File Protocols > Samba, when selecting a server to manage one will not be found.  
The IP address of the new server can be specified in order to manage users with this plugin.
 
2.  The second thing to be aware of is that the openldap client configuration is incomplete and needs some tweaking. 
The file's (/etc/openldap/ldap.conf) uncommented lines may look similar to the following (these are not required for samba authentication to work over secure LDAP):
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /etc/ssl/servercerts/servercert.pem
TLS_KEY /etc/ssl/servercerts/serverkey.pem
Append the following line to the bottom of the file and restart the server:
TLS_REQCERT allow
The samba server will now allow the authentication of eDirectory users over secure LDAP.
 
 

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011753
  • Creation Date:06-FEB-13
  • Modified Date:28-MAR-13
    • NovellOpen Enterprise Server

Did this document solve your problem? Provide Feedback