OpenFire authentication against Samba Active Directory using StartTLS

Question

I am trying to authenticate different services (specifically openfire for now) against Samba Active Directory over StartTLS (port 389).

While setting openfire up, I checked this option (Use StartTLS), but when I test the connection, I get this error:

[LDAP: error code 1 - 00002020: Operation unavailable without authentication]

I have to say that when I try to connect over LDAPS (using port 636), everything goes perfectly. Anyway that is clear that the connection without encryption on 389 will not work with AD (when I tried, openfire told me that I must use encryotion layer).

Could someone help me please to connect successfully over StartTLS?

Here is my smb.conf

[global]
        netbios name = S1
        realm = NOURELDIN.LOCAL
        workgroup = NOURELDIN
        dns forwarder = 8.8.8.8
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        ldap ssl = start tls

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/noureldin.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

ps. I tried both adding and removing (ldap ssl = start tls) line with no difference.

I appreciate any help.

natxo asenjo · Answer 1 · 2016-06-20T21:14:38.867

1

you probably need to import the samba ADS CA certificate in the openfire system

Edit: I installed samba4 in a centos vm and configured openfire to use ldap with startls.

After installing samba4 from sources as indicated in the samba wiki (https://wiki.samba.org/index.php/Build_Samba_from_source, https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller), I changed directory in the samba domain controller to /usr/local/samba/private/tls

Inside this folder you have three files:

# pwd
/usr/local/samba/private/tls
[root@dc1 tls]# ls -l
total 12
-rw-r--r--. 1 root root 2025 Jun 20 21:29 ca.pem
-rw-r--r--. 1 root root 2029 Jun 20 21:29 cert.pem
-rw-------. 1 root root 3243 Jun 20 21:29 key.pem

Copy the content of ca.pem. One way is:

# cat ca.pem

Copy everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----

In the openfire console, go to TLS/SSL certificates and click on manage store contents of the trust store of server federation stores:

Click on 'import from':

and give the new CA a name like 'my awesome samba4 domain', and paste the contents of ca.pem:

Verify the new CA is in there, it should be added to the list of the trusted stores:

verify in the server settings that you are using startls:

restart openfire, login as your administrative user in the web console. To verify you are using starttls you can use tcpdump.

Done.

edited Jun 20 '16 at 21:14

answered Jun 18 '16 at 09:17

natxo asenjo

5,641
2
25
27

Du you mean not using the auto generated CA, but generating my own self-signed CA and then import it to both Samba and Openfire? – Mohammed Noureldin Jun 18 '16 at 09:53
1

no, I mean using the samba ADS CA: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Using_the_Samba_autogenerated_self-signed_certificate_.28default.29 – natxo asenjo Jun 18 '16 at 10:06
I will try to copy and import it into openfire, anyway I am trying now at the very first step of setting openfire up and I cannot change the CA, but I still can check StartTLS, if that is really the problem, it doesnot make sesnse to show that startTLS option at this step. – Mohammed Noureldin Jun 18 '16 at 11:32
just for kicks I installed openfire in a centos 7 host. I do not have a samba ADS environment handy, but I do have a freeipa domain with both ldap and a PKI. So after joining the host to the domain and installing the openfire rpm I modified the start script /etc/rc.d/init.d/openfire, and added this: -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts to the line starting with OPENFIRE_OPTS. After restarting the daemon I could use startls against the ldap server. – natxo asenjo Jun 18 '16 at 21:19
so I have to use the CA certificate of samba, and then use it to generate all certifiactes of the other services? (sorry but I am not good practically in certs) – Mohammed Noureldin Jun 20 '16 at 13:19
if you want to use starttls with the samba ldap server, you need to import the certificate authority of samba (see my link) in the openfire server. No need for other certificates – natxo asenjo Jun 20 '16 at 16:33
Sir could we change openfire example to openvpn? in openvpn you need to generate CA and server side keys, so in my case should I use samba ca instead of generating new one for openvpn? and I have to use it to generate the other server side keys (crt and key)? So according to your link, I have to copy this ca: /usr/local/samba/private/tls/ca.pem; and use it with openvpn, and then generate the other open vpn server.{crt, key} using it, is that right? – Mohammed Noureldin Jun 20 '16 at 19:35
if you want to ask something different open a different question – natxo asenjo Jun 20 '16 at 20:46

OpenFire authentication against Samba Active Directory using StartTLS

1 Answers1