Enable LDAP over TLS _and_ SSL

[LaFong]

I've read the various threads on LDAP TLS and SSL. It seems, for some reason, that Zimbra considers them mutually exclusive. The wiki shows disabling TLS if you want to enable SSL. I realize that ldaps is kind of a hack, but some LDAP clients (e.g. Thunderbird) only support SSL. In OpenLDAP, it's no problem to enable both. So, I tried setting the config using zmlocalconfig, then tried manually changing the localconfig.xml file. Zimbra errored with either of these approaches, does not like the <space> between URLs. So I tried altering the 'ldap' startup file in /opt/zimbra/bin, apparently successfully. In the start() section, I commented out the existing bind_url lines for zmslapd, and hard-coded the URLs.

sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 \
-u zimbra -h "ldap://mail.myserver.com:389 ldaps://mail.myserver.com:636" -f /opt/zimbra/conf/slapd.conf
# -u zimbra -h "${bind_url}" -f /opt/zimbra/conf/slapd.conf

There are 2 entries in the start() section, you need to alter them both.
This should just add the 636 port for slapd to listen on. This should work, shouldn't it, and couldn't this be made part of the ordinary Zimbra config? So far, it seems to be working for me, including LDAP lookups over 636.

[premoddev]

Hi LaFong,

I am also looking an option for enabling ldaps in Zimbra for addressbook access. Currently they are telling Zimbra using TLS on port 389 and both TLS and SSL will not work simultaneously.

On which version you did this and how is it working now.

thanks,

Premod

[LaFong]

We're using the current version, 5.0.11. I did not try TLS on 389. LDAP on 389 and LDAPS (SSL) on 636 work simultaneously, we are using it now. I haven't gotten around to testing disabling anonymous binds, but the changes to slapd.conf.in are easy.

[jsnapp]

Quote:

Originally Posted by LaFong

We're using the current version, 5.0.11. I did not try TLS on 389. LDAP on 389 and LDAPS (SSL) on 636 work simultaneously, we are using it now. I haven't gotten around to testing disabling anonymous binds, but the changes to slapd.conf.in are easy.

How were you able to get zimbra's ldap to bind to both 389 and 636 simultaneously? I thought it could only bind to one or the other.

[LaFong]

Zimbra uses openldap. The openldap daemon, slapd, can listen to multiple IP addresses, ports, and sockets, merely by quoting them separated by spaces.
OpenLDAP, Software, Man Pages: slapd
Zimbra 5.x may only communicate with slapd via 389, but slapd can still listen on other ports for external ldap clients.

[adeelarifbhatti]

did anyone enabled the zimbra's ldap on 389 and 636 (SSL) Simultaneously.
I have default settings and have ldap on 389, and wanted to make it work on ssl i.e. 636.

???
regards
Adeel

[emman]

i managed to make it work on zcs 6.0.x by "modifying" the bin/ldap script by adding an ldaps:// entry on the lines indicated by LaFong, but leaving the ${bind_url}:

-u zimbra -h "${bind_url} ldaps://mail.myserver.com:636 ldapi:///" -F /opt/zimbra/data/ldap/config

ldap now listens to both 389 (ldap://) and 636 (ldaps://).

[LaFong]

Yeah, I hardcoded both just to be sure it worked. I finally upgraded to 6.0.x, and decided to make them both variables:

Add ldaps_url to localconfig:
[zimbra@mail bin]# zmlocalconfig -e ldaps_url="ldaps://mail.mydomain.com:636"

Modify bin/ldap
[zimbra@mail bin]# diff -u ldap.orig ldap
--- ldap.orig 2010-02-15 11:26:47.000000000 -0700
+++ ldap 2010-02-15 12:39:27.000000000 -0700
@@ -23,6 +23,7 @@
zmsetvars \
ldap_is_master \
ldap_url \
+ ldaps_url \
ldap_bind_url \
ldap_master_url \
ldap_replica_rid \
@@ -126,13 +127,13 @@
bind_url=$(echo ${ldap_url} | awk '{print $1}')
fi
sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 \
- -u zimbra -h "${bind_url} ldapi:///" -F /opt/zimbra/data/ldap/config
+ -u zimbra -h "${bind_url} ${ldaps_url} ldapi:///" -F /opt/zimbra/data/ldap/config
sleep 5
for ((i =0; i < 6; i++)); do
checkrunning
if [ $RUNNING = 0 ]; then
sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 \
- -u zimbra -h "${bind_url} ldapi:///" -F /opt/zimbra/data/ldap/config
+ -u zimbra -h "${bind_url} ${ldaps_url} ldapi:///" -F /opt/zimbra/data/ldap/config
else
break
fi