0

We have a mail system which can modify active directory users/orgnization_unit via ldaps URL. It needs a server certificate stored in java keystore to make a ssl/tls connection.

Now I want to use samba4 as domain controller instead of Windows server, but i didn't find a guide like this one for active directory: https://confluence.atlassian.com/display/DOC/Configuring+an+SSL+Connection+to+Active+Directory.

How to get a ssl certificate from samba4 DC server? Is it even possible?

I'm using fedora 18, but not using the samba package shipped by fedora, because it does not support domain controller yet. I compiled samba-4.0.5 from source according this guide: http://linuxdrops.com/install-samba-4-on-centos-rhel-fedora-debian-ubuntu/.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
LiuYan 刘研
  • 1,614
  • 1
  • 16
  • 29
  • See this link: [SWAT and SSL] (http://www.samba.org/samba/docs/swat_ssl.html) . Ignore the SWAT related lines, you are only interested in generating the Certificate and Key – Raza May 20 '13 at 13:56
  • @Raza, thanks for the link. i'm not just only interesting in how to generate it, but also how to configure it to let client application works with samba4 ldaps server, does certificate must be issued by microsoft or are there any other concerns. something like that. – LiuYan 刘研 May 20 '13 at 16:09
  • Once you have the certificate then it is same for any PKI based communication. Can't give you details in comments so I am creating an answer for you. – Raza May 20 '13 at 16:33

1 Answers1

1

First thing you need to do is to get the certificate from Samba Server as explained in the Samba documentation I sent you earlier. Once you have the certificate then using it on windows or any other machine is no different.

What you need to do is to create a KeyStore. For my work I used http://portecle.sourceforge.net/. this is a very nice GUI based tool that you can use to create your own keystores and add keys to your keystore. You can use one of your choice if you did not like it.

Using this tool you need to first create a Keystore and then add the certificate to your keystore. Your keystore will keep the keys and it will have a password. Then you need to set the system properties. like so:

System.setProperty("javax.net.ssl.trustStore", "keystore file path");
System.setProperty("javax.net.ssl.keyStorePassword", "keystore file password");

That's it really. If you find any difficulties then I would suggest do a google for "working with certificates in java" and you will get plenty of resources.

Note that it will give you some headache to get all of this working. But believe me, there is nothing more to it.

I hope you can accept this as an answer now :)

Raza
  • 856
  • 6
  • 8
  • Is that so simple? yes it is, except i don't need to generate the certificate manually. After provisioning samba4 dc, samba4 has already generated it's ca.perm & cert.perm & key.perm under `/usr/local/samba/private/tls` directory. So, i just copy cert.perm to the client side, and import it to java keystore: `keytool -import -keystore samba4-cert.jks -file cert.perm`, Done! Both the mail system and my program can use ldaps URL to modify user account in AD now. – LiuYan 刘研 May 22 '13 at 11:34