Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Enabling LDAPS?

  1. #11
    Diranged is offline Intermediate Member
    Join Date
    Mar 2009
    Posts
    20
    Rep Power
    6

    Default

    Thanks for the tips... I am looking to make sure that all my data is encrypted whenever using ldaps:// -- but still allow non-encrypted access via ldap://. I thought that I needed to use -ZZ to make sure that ldaps:// didnt fall back to non-encrypted access. Do I not need to do that?

  2. #12
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Quote Originally Posted by Diranged View Post
    Thanks for the tips... I am looking to make sure that all my data is encrypted whenever using ldaps:// -- but still allow non-encrypted access via ldap://. I thought that I needed to use -ZZ to make sure that ldaps:// didnt fall back to non-encrypted access. Do I not need to do that?
    You're confusing yourself here.

    startTLS == ENCRYPTED
    ldaps == ENCRYPTED

    So in either case, the connection is encrypted. One works over the normal ldap:// port, the other one is a secure port only. Using ldaps:// means *any* connection is encrypted. Using startTLS means that connections that request startTLS be initiated are encrypted. The connections from Zimbra by default use startTLS. Since you don't really say much about what it is you are doing, I don't know exactly what it is you are trying to be sure gets encrypted. As I noted before, you can create the same behavior as ldaps (everything is encrypted) by requiring startTLS be in effect using the security directive in slapd.conf.in, and at that point, all connections will be required to be encrypted.

    There is no way with "ldaps" to fall back to unencrypted, since it's encrypted from the get-go.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #13
    Diranged is offline Intermediate Member
    Join Date
    Mar 2009
    Posts
    20
    Rep Power
    6

    Default

    Ok I'm in the process of fixing some of the things I broke while working on this ... but noticed some oddness. When I run ldapsearch as 'root' it fails with a certificate error, but when I run it as 'zimbra' it works perfectly.

    Where is ldapsearch getting its certificate information, so that I can access the certificate with apache and other ldap clients...

  4. #14
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Quote Originally Posted by Diranged View Post
    Ok I'm in the process of fixing some of the things I broke while working on this ... but noticed some oddness. When I run ldapsearch as 'root' it fails with a certificate error, but when I run it as 'zimbra' it works perfectly.

    Where is ldapsearch getting its certificate information, so that I can access the certificate with apache and other ldap clients...
    Look at the zimbra user .ldaprc file. Basically you just need to make sure any ldap client you use has access to your cert's CA file, as is fairly standard with cert setup. A number of server software (like apache) ships with a set of pre-known CA's, which may be why your cert worked just fine with it.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #15
    Diranged is offline Intermediate Member
    Join Date
    Mar 2009
    Posts
    20
    Rep Power
    6

    Default

    Thanks thats what I was looking for ... oddly now, I still have one more strange behavior. I have ldaps:// working fine with ldapsearch. I have a 'frontend' node with the zimbra ldap server on it, as well as Apache and my apache works just fine with ldaps and pointing to the commercial_ca.pem file. I have some slave nodes though that also have this commercia_ca.pem file setup, but can NOT connect to the ldaps:// server -- only ldap://.

    Any ideas? The configuration settings are identical on the slave and frontend web servers... they both have the same ldap and openssl packages installed, and they have the same /etc/openldap/ldap.conf files.

  6. #16
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Quote Originally Posted by Diranged View Post
    Any ideas? The configuration settings are identical on the slave and frontend web servers... they both have the same ldap and openssl packages installed, and they have the same /etc/openldap/ldap.conf files.
    Is the CA cert installed on these systems? Did you create the x509 hash for it?
    Look at the symlinks in the location of the CA cert on the systems that work...
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #17
    lweeks is offline Partner (VAR/HSP)
    Join Date
    Aug 2008
    Posts
    10
    Rep Power
    6

    Default openldap and serving CA certs

    This is a relatively old thread, but we recently encountered this issue and resolved it. We expose LDAP (with modified ACLs) for use with external clients for GAL lookup. Our SSL certificate now requires an intermediate certificate, and we found that slapd as configured in ZCS does not serve the intermediate certificate out, only the host certificate. To resolve this, we have set the cn=config attribute olcTLSCACertificateFile to the slapd.crt file, which contains the full bundle of certificates. We have also added the root certificate to the /opt/zimbra/conf/ca cache, as ZCS instead places the combined intermediate+root/signing CA bundle there. That step may not be necessary, but we did it for good measure.

    Configured in this way, slapd serves out the necessary certificate chain to clients. So, our cn=config database now contains:

    Code:
    olcTLSCACertificateFile: /opt/zimbra/conf/slapd.crt
    olcTLSCertificateFile: /opt/zimbra/conf/slapd.crt
    olcTLSCertificateKeyFile: /opt/zimbra/conf/slapd.key
    This is only on an LDAP replica dedicated to this external GAL use -- we have not modified the configuration on LDAP servers used with other ZCS components.

    Hopefully this will help somebody in the future.

    Larry

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zimbra 6.0b1 not installing on Mac OS X 10.5.6
    By funkahdafi in forum Installation
    Replies: 5
    Last Post: 05-13-2009, 09:51 PM
  2. [SOLVED] install zcs 6 beta1 / centos 5.3 - LDAP FAIL
    By powrrrplay in forum Installation
    Replies: 7
    Last Post: 04-24-2009, 09:15 AM
  3. Installing Zimbra on Ubuntu 8.04 (Hardy)
    By tikitom in forum Installation
    Replies: 33
    Last Post: 03-03-2009, 12:23 PM
  4. Problem Install Zimbra ver 5.0.4_GA_2101.F7
    By maman in forum Installation
    Replies: 5
    Last Post: 04-14-2008, 12:50 PM
  5. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 09:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •