Configuring LDAP over SSL (LDAPS) on a Samba AD DC

From SambaWiki
Jump to: navigation, search

Introduction

Active Directory uses the LDAP (Lightweight Directory Access Protocol) for read and write access. By default LDAP connections are unencrypted. To secure LDAP traffic, you can use SSL/TLS. This document will describe how to enable LDAP over SSL (LDAPS) by installing a certificate in Samba.



General information

  • To use TLS, Samba has to be compiled with „--enable-gnutls“. To verify, use the following command:
# smbd -b | grep "ENABLE_GNUTLS"
   ENABLE_GNUTLS
  • The RSA private key must be accessible without a passphrase, i.e. it must not be encrypted!
  • The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g. "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".



Important smb.conf parameters for LDAPS

LDAPS is controlled by various smb.conf parameters, which all start with „tls“. See the manpage for details.

The „tls*“ parameters are set in the „[global]“ section of your smb.conf. After any changes, you will have to restart Samba.




Using the Samba autogenerated self-signed certificate (default)

On its first startup, Samba creates a private key, a self signed certificate and a CA certificate:

  • /usr/local/samba/private/tls/ca.pem
  • /usr/local/samba/private/tls/cert.pem
  • /usr/local/samba/private/tls/key.pem

The certificates are valid for 700 days after creation (the lifetime used when auto-creating the certificates is hardcoded in „source4/lib/tls/tlscert.c“).

By default TLS is enabled („tls enabled = yes“), the above files are used and correspond to the following smb.conf parameters:

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem




Using a custom self-signed certificate

  • Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
  • Create a private key (2048 bit) and a self-signed certificate, valid for 1 year. You'll be asked a couple of questions. It is very important that you fill „Common Name“, with the FQDN of the DC you are generating the certificate for („hostname -f“)!
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem

Generating a 2048 bit RSA private key
......+++
..................+++
writing new private key to 'myKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com
  • Restrict rights on the private key
# chmod 600 myKey.pem
  • Add the following to your smb.conf
tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = 
  • Restart Samba.

Using a trusted certificate

  • Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
  • Create a 2048 server key
# openssl genrsa -out myKey.pem 2048
  • Generate a certificate request (CSR). You'll be asked a couple of questions. The most important is, that you fill „Common Name“ with the FQDN of the DC you are generating the certificate for („hostname -f“)!
# openssl req -new -key myKey.pem -out myCSR.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com
  • Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.
  • If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).
  • If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).
  • Add the following parameters to your smb.conf
tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = tls/myIntermediate .pem  # if not required, set empty
  • Restart Samba.




View certificate details

# openssl x509 -in /usr/local/samba/private/tls/myCert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
         Serial Number:
            d7:16:0c:a9:2e:ce:6f:a6
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Validity
            Not Before: Jun 22 06:44:35 2013 GMT
            Not After : Jun 22 06:44:35 2014 GMT
        Subject: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                  .....{removed to keep this example output shorter}.....
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Authority Key Identifier: 
                keyid:D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        .....{removed to keep this example output shorter}.....



Verifying the certificate

Local

# openssl verify /usr/local/samba/private/tls/myCert.pem
myCert.pem: C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
error 18 at 0 depth lookup:self signed certificate
OK

If you are using a CA file in your smb.conf, use the following command instead:

# openssl verify /usr/local/samba/private/tls/myCert.pem -CApath /path/to/ca-file.pem


Remote via TCP

# openssl s_client -showcerts -connect dc1.samdom.example.com:636

CONNECTED(00000003)
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
   i:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
-----BEGIN CERTIFICATE-----
.....{removed to keep this example output shorter}.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
issuer=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1870 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7B522F38E50A807426CBB438841A40360B8A32C2A6FA74B1705D2978E7100E9A
    Session-ID-ctx: 
    Master-Key: D65E7EC785151B6DDA2CAB40320A16DADB5A24019B23C533738B43EA36DBC4E766BE16C292E35976BB6CD09B1C537D21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1371887189
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

You can quit s_client by pressing [Ctrl]+[C].

If you are using a CA file in your smb.conf, use the following command instead:

# openssl s_client -showcerts -connect localhost:636 -CApath /path/to/ca-file.pem