Configuring LDAP over SSL (LDAPS) on a Samba AD DC

From SambaWiki

Introduction

Active Directory uses the LDAP (Lightweight Directory Access Protocol) for read and write access. Per default LDAP connections are unencrypted. To secure LDAP traffic, you can use SSL/TLS. This document will describe how to enable LDAP over SSL (LDAPS) by installing a certificate in Samba.

General information

  • To use TLS, Samba has to be compiled with „--enable-gnutls“. To verify, use the following command:
# smbd -b | grep "ENABLE_GNUTLS"
   ENABLE_GNUTLS
  • The RSA private key must be accessible without a passphrase, i.e. it must not be encrypted!
  • The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g. "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

Important smb.conf parameters for LDAPS

LDAPS is controlled by various smb.conf parameters, which all start with „tls“. See the manpage for details.

The „tls*“ parameters are set in the „[global]“ section of your smb.conf. After any changes, you will have to restart Samba.

Using the Samba autogenerated self-signed certificate (default)

On its first startup, Samba creates a private key, a self signed certificate and a CA certificate:

  • /usr/local/samba/private/tls/ca.pem
  • /usr/local/samba/private/tls/cert.pem
  • /usr/local/samba/private/tls/key.pem

The certificates are valid for 700 days after creation (the lifetime used when auto-creating the certificates is hardcoded in „source4/lib/tls/tlscert.c“).

By default TLS is enabled („tls enabled = yes“), the above files are used and correspond to the following smb.conf parameters:

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem

Using a custom self-signed certificate

  • Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
  • Create a private key (2048 bit) and a self-signed certificate, valid for 1 year. You'll be asked a couple of questions. It is very important that you fill „Common Name“, with the FQDN of the DC you are generating the certificate for („hostname -f“)!
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem

Generating a 2048 bit RSA private key
......+++
..................+++
writing new private key to 'myKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com
  • Add the following to your smb.conf
tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = 
  • Restart Samba.

Using a trusted certificate

  • Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
  • Create a 2048 server key
# openssl genrsa -out myKey.pem 2048
  • Generate a certificate request (CSR). You'll be asked a couple of questions. The most important is, that you fill „Common Name“ with the FQDN of the DC, you are generating the certificate for („hostname -f“)!
# openssl req -new -key myKey.pem -out myCSR.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com
  • Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.
  • If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).
  • If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).
  • Add the following parameters to your smb.conf
tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = tls/myIntermediate .pem  # if not required, set empty
  • Restart Samba.



View certificate details

# openssl x509 -in /usr/local/samba/private/tls/myCert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
         Serial Number:
            d7:16:0c:a9:2e:ce:6f:a6
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Validity
            Not Before: Jun 22 06:44:35 2013 GMT
            Not After : Jun 22 06:44:35 2014 GMT
        Subject: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                  .....{removed to keep this example output shorter}.....
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Authority Key Identifier: 
                keyid:D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        .....{removed to keep this example output shorter}.....



Verifying the certificate

Local

# openssl verify /usr/local/samba/private/tls/myCert.pem
myCert.pem: C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
error 18 at 0 depth lookup:self signed certificate
OK

If you are using a CA file in your smb.conf, use the following command instead:

# openssl verify /usr/local/samba/private/tls/myCert.pem -CApath /path/to/ca-file.pem


Remote via TCP

# openssl s_client -showcerts -connect localhost:636

CONNECTED(00000003)
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
   i:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
-----BEGIN CERTIFICATE-----
.....{removed to keep this example output shorter}.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
issuer=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1870 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7B522F38E50A807426CBB438841A40360B8A32C2A6FA74B1705D2978E7100E9A
    Session-ID-ctx: 
    Master-Key: D65E7EC785151B6DDA2CAB40320A16DADB5A24019B23C533738B43EA36DBC4E766BE16C292E35976BB6CD09B1C537D21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1371887189
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

You can quit s_client by pressing [Ctrl]+[C].

If you are using a CA file in your smb.conf, use the following command instead:

# openssl s_client -showcerts -connect localhost:636 -CApath /path/to/ca-file.pem