I am trying to authenticate different services (specifically openfire for now) against Samba Active Directory over StartTLS (port 389).
While setting openfire up, I checked this option (Use StartTLS), but when I test the connection, I get this error:
[LDAP: error code 1 - 00002020: Operation unavailable without authentication]
I have to say that when I try to connect over LDAPS (using port 636), everything goes perfectly.
Anyway that is clear that the connection without encryption on 389 will not work with AD (when I tried, openfire told me that I must use encryotion layer).
Could someone help me please to connect successfully over StartTLS?
Here is my smb.conf
[global]
netbios name = S1
realm = NOURELDIN.LOCAL
workgroup = NOURELDIN
dns forwarder = 8.8.8.8
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
ldap ssl = start tls
[netlogon]
path = /usr/local/samba/var/locks/sysvol/noureldin.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
ps. I tried both adding and removing (ldap ssl = start tls) line with no difference.
I appreciate any help.
Best Answer
you probably need to import the samba ADS CA certificate in the openfire system
Edit: I installed samba4 in a centos vm and configured openfire to use ldap with startls.
After installing samba4 from sources as indicated in the samba wiki (https://wiki.samba.org/index.php/Build_Samba_from_source, https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller), I changed directory in the samba domain controller to /usr/local/samba/private/tls
Inside this folder you have three files:
Copy the content of ca.pem. One way is:
Copy everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----
In the openfire console, go to TLS/SSL certificates and click on manage store contents of the trust store of server federation stores:
Click on 'import from':
and give the new CA a name like 'my awesome samba4 domain', and paste the contents of ca.pem:
Verify the new CA is in there, it should be added to the list of the trusted stores:
verify in the server settings that you are using startls:
restart openfire, login as your administrative user in the web console. To verify you are using starttls you can use tcpdump.
Done.