-
Hi,
LDAPS is working but the certificate used does not seem to be issued by the CA (which is working fine for other services/servers) ... With LDAPS I am getting messages that the certificate is not valid.
Two questions:
1. Can I replace the certificate myself, and how can I make it persistent?
2. Is it possible to have LDAPS listed as a service in the Certification Authority under Services Certificates?
Thanks!
RAB
-
This post:
https://forum.zentyal.org/index.php/topic,32039.0.html
suggests that the certificates are located here on the Zentyal server:
/var/lib/samba/private/tls
Is this correct?
Can I just replace these by a certificate generated by the Zentyal CA or will this generate issues with the existing AD functionality?
The LDAP conf file also contains a reference to a certificate.
/etc/ldap/ldap.conf
What is the role of this certificate? Does it require changing as well? Should it rather point to a certificate in /var/lib/samba/private/tls
?
-
This: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Suggests that the certificates in /var/lib/samba/private/tls
would only e used for LDAP.
Correct?
-
Ok - figured it out for the most part.
Just cannot find where Zentyal configures the samba certificates (the settings below from a plain samba config):
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile = tls/myIntermediate .pem # if not required, set empty
The certificates used (default setup) for LDAPS on port 636 is the one found in /var/lib/samba/private/tls
per https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html this is the default location and tls is enabled per default.
-
OK - solved
Changed the content of:
/var/lib/samba/private/tls/cert.pem to contain the content of the *-cert.crt file in the key-certificate package form the zentyal CA
/var/lib/samba/private/tls/key.pem to contain the content of the *-private-key.pem file in the key-certificatepackage form the zentyal CA
/var/lib/samba/private/tls/ca.pem to empty (no content). The file somehow needs to exist otherwise the start of the zentyal samba service fails.
Edited
/usr/share/zentyal/stubs/samba/smb.conf.mas to include at the end:
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile =
Restart the zentyal samba service:
sudo zs samba stop
sudo zs samba stop
NOTE: Despite the empty setting for tls cafile in smb.config.mas, the start of the zentyal samba service fails if no tls/ca.pem file exists. Having an empty tls/ca.pem resolved this for me.
-
Hello, I try to repeat your guide but without success.
Can you explain this:
/var/lib/samba/private/tls/cert.pem to contain the content of the *-cert.crt file in the key-certificate package form the zentyal CA
/var/lib/samba/private/tls/key.pem to contain the content of the *-private-key.pem file in the key-certificatepackage form the zentyal CA
/var/lib/samba/private/tls/ca.pem to empty (no content). The file somehow needs to exist otherwise the start of the zentyal samba service fails.
I have Zentyal 5.1 but I don't understand which files you mean " *-cert.crt file in the key-certificate package form the zentyal CA"
and "*-private-key.pem file in the key-certificatepackage form the zentyal CA"
thanks