Linux – OpenFire authentication against Samba Active Directory using StartTLS

I am trying to authenticate different services (specifically openfire for now) against Samba Active Directory over StartTLS (port 389).

While setting openfire up, I checked this option (Use StartTLS), but when I test the connection, I get this error:

[LDAP: error code 1 - 00002020: Operation unavailable without authentication]

I have to say that when I try to connect over LDAPS (using port 636), everything goes perfectly.
Anyway that is clear that the connection without encryption on 389 will not work with AD (when I tried, openfire told me that I must use encryotion layer).

Could someone help me please to connect successfully over StartTLS?

Here is my smb.conf

[global]
        netbios name = S1
        realm = NOURELDIN.LOCAL
        workgroup = NOURELDIN
        dns forwarder = 8.8.8.8
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        ldap ssl = start tls

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/noureldin.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

ps. I tried both adding and removing (ldap ssl = start tls) line with no difference.

I appreciate any help.

# pwd /usr/local/samba/private/tls [root@dc1 tls]# ls -l total 12 -rw-r--r--. 1 root root 2025 Jun 20 21:29 ca.pem -rw-r--r--. 1 root root 2029 Jun 20 21:29 cert.pem -rw-------. 1 root root 3243 Jun 20 21:29 key.pem

Best Answer

you probably need to import the samba ADS CA certificate in the openfire system

Edit: I installed samba4 in a centos vm and configured openfire to use ldap with startls.

After installing samba4 from sources as indicated in the samba wiki (https://wiki.samba.org/index.php/Build_Samba_from_source, https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller), I changed directory in the samba domain controller to /usr/local/samba/private/tls

Inside this folder you have three files:

Copy the content of ca.pem. One way is:

# cat ca.pem

Copy everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----

In the openfire console, go to TLS/SSL certificates and click on manage store contents of the trust store of server federation stores:

Click on 'import from':

and give the new CA a name like 'my awesome samba4 domain', and paste the contents of ca.pem:

Verify the new CA is in there, it should be added to the list of the trusted stores:

verify in the server settings that you are using startls:

restart openfire, login as your administrative user in the web console. To verify you are using starttls you can use tcpdump.

Done.

Best Answer

Related Solutions

Windows – Using SSL with Openfire

Ubuntu – Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit

Related Topic