Re: [Lam-public] LAM 9.3 ldaps to sernet-samba-4.23 on AlmaLinux 9.6
Brought to you by:
gruberroland
Menu
▾
▴
Re: [Lam-public] LAM 9.3 ldaps to sernet-samba-4.23 on AlmaLinux 9.6
|
From: Roland G. <po...@ro...> - 2025-10-16 11:29:08
|
Hi Larry, basically, you need to configure your custom CA certificate (not the server one) as trusted. This can be done inside LAM or using TLS_CACERT. You can also check your OS documentation how to import root certificates as this might also help. If you purchase a certificate then there should be no issues unless it is a very exotic CA. Some OS do not have Let's Encrypt trusted by default. Another way would be to use a tool like "stunnel" that provides a local port and forwards the communication encrypted: https://www.stunnel.org/ Best regards Roland Am 15.10.25 um 21:46 schrieb Larry Dillon: > Trying to get LAM to talk to Samba via ldaps > > Error message: > > Cannot connect to specified LDAP server. Please try again. > (-1) LDAP error, server says: Can't contact LDAP server - > error:0A000086:SSL routines::certificate verify failed (unable to get local > issuer certificate) > > Wireshark says: Alert (Level: Fatal, Description: Unknown CA) > > I've tried the Import from Server under General settings, which imports > fine, but never works. I feel like this should be an easy procedure, but I > can never get it to work with encryption enabled. > Common name Valid to Serial number Delete > dc5.rmc.example.edu > 2027-09-14 > 1115614824 > > I tried editing the /etc/openldap/ldap.conf on the LAM server to include > what is called the cacert.pem in the documentation as referenced at: > https://www.ldap-account-manager.org/static/doc/manual/apbs03.html > cacert.pem does not exist, so I've tried the Samba generated ca.pem > and cert.pem, with a reboot between the two tries. > > TLS_CACERT /etc/openldap/certs/dc5-ca.pem > #TLS_CACERT /etc/openldap/certs/dc5-cert.pem > > A few years I also tried to get this to work, to no avail. I tried > manually importing the certs and CA, but never got it work. > > I tried generating self-signed certs on the Samba server as outlined at: > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC > > I also tried setting up my own CA, but didn't find much documentation and > never got that working. > > I feel like I'm doing something fundamentally wrong. Would this work better > if I installed LAM on Debian or Ubuntu instead of Alma? > > We'd rather use in-house certs, but should we just buy a commercial, > trusted cert? If so from whom, and what type of certs, for what uses, > including what additional names? > > Should I look into setting up a CA again? If so, any pointers to a good > guide? What are most people doing? > > I've installed plenty of web server SSL certs, and manually renewed Samba > certs, but I just can't get this to work. > > Thanks for any help or pointers to a step-by-step procedure that anyone can > provide! > > Larry > > > > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public |
