[OpenIndiana-discuss] LDAP Client StartTLS Support
Predrag Zecevic [Unix Systems Administrator]
Predrag.Zecevic at 2e-systems.com
Thu Sep 11 10:34:56 UTC 2014
Hi Andre,
I have found this interesting article: http://docs.oracle.com/cd/E19316-01/820-3040/gdbcd/index.html which might help you better
than me (I am not using Samba, but have compiled OpenSSL/OpenSSH/OpenLDA/MIT Kerberos5 to work together).
When i find some time, will try to compile samba too.
To conclude, OI Samba 3 is NOT using OpenLDAP or OpenSSL, that might be cause of error you get.
Regards.
Predrag Zečević
On 09/11/14 11:58 AM, Andre Kruger wrote:
> Hi Predrag
>
> The only option that I passed to the configure script was "--with-shared-modules=idmap_ad". I left the rest on the defaults as it looked to satisfy my needs.
>
> Are you saying I should pass another option to my configure script "--with-ldap=/usr/lib/openldap/bin"? I am using the correct path?
>
>
> Regards
> André
>
>
> -----Original Message-----
> From: Predrag Zecevic [Unix Systems Administrator] [mailto:Predrag.Zecevic at 2e-systems.com]
> Sent: 11 September 2014 11:49
> To: openindiana-discuss at openindiana.org
> Subject: Re: [OpenIndiana-discuss] LDAP Client StartTLS Support
>
> Hi Andre,
>
> your samba 4 is compiled against "mozldap" utilities (like OI does:
> https://github.com/OpenIndiana/oi-userland/blob/70e9836ac11a90774a4aa54e0bfdfa2e0b703fae/components/samba/samba30/Makefile)
>
> You have to specify to configure procedure path to openldap libraries instead (use '-with-ldap' with path):
> looks like you can define variable LDAP_LIBS="-lliblber -llibldap" before configure is running.
>
> So, how do you configured (compiled) samba 4?
>
> Regards.
> Predrag Zečević
>
> On 09/11/14 11:29 AM, Andre Kruger wrote:
>> Hi
>>
>> I have two test systems:
>>
>> 1. I installed Samba from the repos using the package manager.
>> 2. I compiled Samba from source using the latest tarball on samba.org which was 4.1.11.
>>
>> Both of them behave the same, but I have to note that on system 2 I did not specify to the "configure" script to use any specific ldap client library. I mainly let it do its own thing.
>>
>> Looking at the below I can't tell which ldapsearch Samba is using:
>>
>>
>> ldd /usr/local/samba/bin/net | grep ldap
>> libsmbldap.so.0 => /usr/local/samba/lib/libsmbldap.so.0
>> libldap.so.5 => /usr/lib/libldap.so.5
>> libcli-ldap-common.so => /usr/local/samba/lib/private/libcli-ldap-common.so
>> libcli_cldap.so => /usr/local/samba/lib/private/libcli_cldap.so
>> libsmbldaphelper.so => /usr/local/samba/lib/private/libsmbldaphelper.so
>>
>> pkg search -l /usr/lib/libldap.so.5
>> INDEX ACTION VALUE PACKAGE
>> path file usr/lib/libldap.so.5 pkg:/system/library at 0.5.11-0.151.1.8
>>
>>
>> Regards
>> André
>>
>>
>> -----Original Message-----
>> From: Predrag Zecevic [Unix Systems Administrator]
>> [mailto:Predrag.Zecevic at 2e-systems.com]
>> Sent: 11 September 2014 11:20
>> To: openindiana-discuss at openindiana.org
>> Subject: Re: [OpenIndiana-discuss] LDAP Client StartTLS Support
>>
>> Hi,
>>
>> I was to fast:
>> $ ldd /usr/bin/net | grep ldap
>> libldap60.so => /usr/lib/libldap60.so
>>
>> $ pkg search -l /usr/lib/libldap60.so
>> INDEX ACTION VALUE PACKAGE
>> path link usr/lib/libldap60.so pkg:/library/samba/libsmbclient at 3.6.22-2014.1.0.0
>>
>> So, I guess Samba utilities are compiled against SunOS ldap utilities (Netscape).
>>
>> You might need to compile it yourself and use openldap utilities.
>>
>> I might be wrong, but that is my impression.
>>
>> Regards.
>> Predrag Zečević
>>
>> On 09/11/14 11:08 AM, Andre Kruger wrote:
>>> Hi
>>>
>>> I do have the library/openldap package installed,
>>>
>>> pkg list -a | grep ldap
>>> SUNWapu13-ldap 1.3.9-0.133 --r
>>> SUNWopenldap 2.4.11-0.133 --r
>>> library/apr-util-13/apr-ldap 1.5.2-0.151.1.8 i--
>>> library/openldap 2.4.34-0.151.1.8 i--
>>> naming/ldap 0.5.11-0.151.1.8 i--
>>> service/network/ldap/opends (opensolaris.org) 2.2.0-0.111 i--
>>> web/library/apache/apr-util-13/apr-ldap 1.3.9-0.134 --r
>>>
>>> And searching for the ldapsearch pakage on my system gives the following:
>>>
>>> pkg search -l ldapsearch
>>> INDEX ACTION VALUE PACKAGE
>>> basename link usr/lib/openldap/bin/amd64/ldapsearch pkg:/library/openldap at 2.4.34-0.151.1.8
>>> basename link usr/lib/openldap/bin/ldapsearch pkg:/library/openldap at 2.4.34-0.151.1.8
>>> basename file usr/bin/ldapsearch pkg:/naming/ldap at 0.5.11-0.151.1.8
>>> basename file usr/opends/bin/ldapsearch pkg:/service/network/ldap/opends at 2.2.0-0.111
>>>
>>>
>>> pkg search -l openldapsearch
>>> INDEX ACTION VALUE PACKAGE
>>> basename file usr/bin/amd64/openldapsearch pkg:/library/openldap at 2.4.34-0.151.1.8
>>> basename file usr/bin/openldapsearch pkg:/library/openldap at 2.4.34-0.151.1.8
>>>
>>>
>>> I understand what you are saying but I don't know how I should use the information. Can you please explain. I don't see where/how I can choose between using ldapsearch or openldapsearch?
>>>
>>> When I (try to)join my Samba server to the domain I use the Samba "net ads join" command and that does its own thing.
>>>
>>>
>>> Regards
>>> André
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Predrag Zecevic [Unix Systems Administrator]
>>> [mailto:Predrag.Zecevic at 2e-systems.com]
>>> Sent: 11 September 2014 10:12
>>> To: openindiana-discuss at openindiana.org
>>> Subject: Re: [OpenIndiana-discuss] LDAP Client StartTLS Support
>>>
>>> Hi,
>>>
>>> I guess OI has 2 versions of ldap:
>>> a) SunOS one
>>> b) OpenLDAP
>>>
>>> You might want to use (for example) openldapsearch command instead of
>>> ldapsearch [NOTE 'open' prefix]
>>>
>>> $ pkg search -l ldapsearch
>>> INDEX ACTION VALUE PACKAGE
>>> basename file usr/share/bash-completion/completions/ldapsearch pkg:/utility/bash-completion at 2.1-2014.0.1.0
>>> basename file usr/bin/ldapsearch pkg:/naming/ldap at 0.5.11-2014.1.2.14627
>>> basename link usr/lib/openldap/bin/amd64/ldapsearch pkg:/library/openldap at 2.4.39-2014.1.2.2
>>> basename link usr/lib/openldap/bin/ldapsearch pkg:/library/openldap at 2.4.39-2014.1.2.2
>>>
>>> So, you might need to install library/openldap package and add /usr/lib/openldap/bin to path before /usr/bin (if you wanna use only name 'ldapsearch') **or** use commands specifying 'open' prefix:
>>>
>>> $ pkg search -l openldapsearch
>>> INDEX ACTION VALUE PACKAGE
>>> basename file usr/bin/amd64/openldapsearch pkg:/library/openldap at 2.4.39-2014.1.2.2
>>> basename file usr/bin/openldapsearch pkg:/library/openldap at 2.4.39-2014.1.2.2
>>>
>>> $ ldd /usr/lib/openldap/bin/ldapsearch
>>> libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2
>>> liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2
>>> libsasl.so.1 => /usr/lib/libsasl.so.1
>>> libnsl.so.1 => /lib/libnsl.so.1
>>> libc.so.1 => /lib/libc.so.1
>>> libresolv.so.2 => /lib/libresolv.so.2
>>> libsocket.so.1 => /lib/libsocket.so.1
>>> libssl.so.1.0.0 => /lib/libssl.so.1.0.0
>>> libcrypto.so.1.0.0 => /lib/libcrypto.so.1.0.0
>>> libmd.so.1 => /lib/libmd.so.1
>>> libmp.so.2 => /lib/libmp.so.2
>>> libdl.so.1 => /lib/libdl.so.1
>>> libgcc_s.so.1 => /usr/lib/libgcc_s.so.1
>>> libm.so.2 => /lib/libm.so.2
>>>
>>> HTH
>>> Regards.
>>> Predrag Zečević
>>>
>>> On 09/11/14 10:03 AM, Andre Kruger wrote:
>>>> I don't think this is a Samba problem I am only providing the info to help the reader understand where I am coming from.
>>>>
>>>> I am trying to join my Samba server to my domain. This previously worked but our AD admins enabled LDAPS on the DCs which broke the connection. Upon retrying to join the domain, running the samba join command in debug mode I get the following:
>>>>
>>>>
>>>> Successfully contacted LDAP server 1.1.1.1 Connected to LDAP server
>>>> DC1.ad.domain.com StartTLS not supported by LDAP client libraries!
>>>>
>>>>
>>>> Is StartTLS supported by the ldap client we have in OI?
>>>>
>>>> According to this site earlier versions of Solaris did not support it yet so I am not sure if it is supported on the current release of OI.
>>>>
>>>> http://www.informit.com/articles/article.aspx?p=30339&seqNum=3
>>>>
>>>> _______________________________________________
>>>> openindiana-discuss mailing list
>>>> openindiana-discuss at openindiana.org
>>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>>
>>>
>>> --
>>> Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
>>>
>>> Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
>>> Mobile: +49 174 3109 288, Skype: predrag.zecevic
>>> E-mail: predrag.zecevic at 2e-systems.com
>>>
>>> Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
>>> 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303
>>> Managing director: Phil Douglas
>>>
>>> http://www.2e-systems.com/ - Making your business fly!
>>>
>>> [***]===---
>>> According to the latest official figures, 43% of all statistics are totally worthless.
>>>
>>> _______________________________________________
>>> openindiana-discuss mailing list
>>> openindiana-discuss at openindiana.org
>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>> _______________________________________________
>>> openindiana-discuss mailing list
>>> openindiana-discuss at openindiana.org
>>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>>
>>
>> --
>> Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
>>
>> Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
>> Mobile: +49 174 3109 288, Skype: predrag.zecevic
>> E-mail: predrag.zecevic at 2e-systems.com
>>
>> Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
>> 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303
>> Managing director: Phil Douglas
>>
>> http://www.2e-systems.com/ - Making your business fly!
>>
>> [***]===---
>> Happiness is twin floppies.
>>
>> _______________________________________________
>> openindiana-discuss mailing list
>> openindiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>> _______________________________________________
>> openindiana-discuss mailing list
>> openindiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>
> --
> Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
>
> Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
> Mobile: +49 174 3109 288, Skype: predrag.zecevic
> E-mail: predrag.zecevic at 2e-systems.com
>
> Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
> 65812 Bad Soden am Taunus, Germany Company registration: Amtsgericht Königstein (Germany), HRB 7303
> Managing director: Phil Douglas
>
> http://www.2e-systems.com/ - Making your business fly!
>
> [***]===---
> Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
--
Predrag Zečević, Technical Support Analyst, 2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zecevic at 2e-systems.com
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
[***]===---
From the cradle to the coffin underwear comes first. -- Bertolt Brecht
More information about the openindiana-discuss
mailing list