novell-samba and Secure LDAP On OES Linux Without A Local Copy Of eDirectory

  • 7011753
  • 06-Feb-2013
  • 28-Mar-2013


Novell Open Enterprise Server 11 (OES 11) Linux


An OES server can be installed without a local copy of eDirectory and NCP. In this example, novell-samba, Linux User Management (LUM), and iManager were installed. When installing the services, as eDirectory was not being installed locally, the LDAP configuration (during the OES install) was pointed to a server that did contain at least a Read/Write copy of eDirectory.
When trying to authenticate a LUM and Samba enabled user the following was reported either on screen or in the /var/log/samba/log.smbd:
ERROR:   Connection to * failed (Error NT_STATUS_CONNECTION_REFUSED)
ERROR:   lib/smbldap.c:1225(smbldap_connect_system)failed to bind to server ldaps:// with dn="cn=custom-sambaProxy,o=novell" Error: Can't contact LDAP server error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)


There are a couple of steps that one must be aware of, if installing the system this way, in order to manage samba users (via iManager) and have ldap work over its secure port (636).
1.  The first thing to be aware of is that an NCP server object is not created for the new server in the existing tree. 
The other necessary objects, such as the proxy user and samba domain objects, are created in the tree. 
Using  iManager > File Protocols > Samba, when selecting a server to manage one will not be found.  
The IP address of the new server can be specified in order to manage users with this plugin.
2.  The second thing to be aware of is that the openldap client configuration is incomplete and needs some tweaking. 
The file's (/etc/openldap/ldap.conf) uncommented lines may look similar to the following (these are not required for samba authentication to work over secure LDAP):
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /etc/ssl/servercerts/servercert.pem
TLS_KEY /etc/ssl/servercerts/serverkey.pem
Append the following line to the bottom of the file and restart the server:
The samba server will now allow the authentication of eDirectory users over secure LDAP.