I'm considering submitting a couple of bugs related to LDAP.
LDAP TLS Mode
Steps to reproduce
Upon activating TLS mode, the /etc/local/openldap/ldap.conf file contains these lines:
TLS_CACERT /usr/local/etc/certs/cacert.crt
TLS_REQCERT allow
If the Self Signed Certificate field is left empty, /usr/local/etc/certs/cacert.crt is also empty.
Workaround
Put a certificate in the Self Signed Certificate field.
Suggested Resolution
Allow the user to specify whether they are using a self signed or commercially signed certificate. If the certificate is self signed, require the self signed certificate field be populated, and add the TLS_CACERT line to ldap.conf. If the certificate is commercially signed, don't add the TLS_CACERT directive.
CIFS Requires LDAP TLS - Admin panel does not
Steps to reproduce
The /etc/local/smb.conf file contains this line in the [global] section:
ldap ssl = start tls
If I'm reading the docs right, this means that samba requires TLS to be enabled to communicate with the LDAP server. However, the admin panel doesn't require TLS to be enabled.
Workaround
Enable TLS in LDAP config.
Suggested Resolution
Either require TLS in LDAP, or allow the user to specify whether TLS is to be used in Samba LDAP operations.
LDAP TLS Mode
Steps to reproduce
- Set LDAP to TLS mode, but leave Self Signed Certificate field empty (which made sense since my server has a commercially signed certificate). Note the admin interface doesn't complain about this state.
- Log into the shell and perform an ldapsearch with the -ZZ parameter. The search will fail.
- Attempting to configure AFP or CIFS will result in an error. (See next bug)
Upon activating TLS mode, the /etc/local/openldap/ldap.conf file contains these lines:
TLS_CACERT /usr/local/etc/certs/cacert.crt
TLS_REQCERT allow
If the Self Signed Certificate field is left empty, /usr/local/etc/certs/cacert.crt is also empty.
Workaround
Put a certificate in the Self Signed Certificate field.
Suggested Resolution
Allow the user to specify whether they are using a self signed or commercially signed certificate. If the certificate is self signed, require the self signed certificate field be populated, and add the TLS_CACERT line to ldap.conf. If the certificate is commercially signed, don't add the TLS_CACERT directive.
CIFS Requires LDAP TLS - Admin panel does not
Steps to reproduce
- Configure LDAP leaving TLS or SSL disabled.
- Attempt to configure CIFS. It will result in a generic error.
The /etc/local/smb.conf file contains this line in the [global] section:
ldap ssl = start tls
If I'm reading the docs right, this means that samba requires TLS to be enabled to communicate with the LDAP server. However, the admin panel doesn't require TLS to be enabled.
Workaround
Enable TLS in LDAP config.
Suggested Resolution
Either require TLS in LDAP, or allow the user to specify whether TLS is to be used in Samba LDAP operations.