External LDAP auth + TLS + import cacert

[flyerguybham]

I'm doing external LDAP auth and our LDAP server cert is signed by our local CA. When I enable TLS in Zimbra's external authentication settings, and then I set our LDAP server to require TLS, the Zimbra authentication is failing with "LDAP: error code 49 - Invalid Credentials". If I allow the LDAP server to accept non-TLS binds if STARTTLS fails, then it works.

In my experience, this means one of two things:

1. Zimbra is not using the FQDN for the LDAP server
or
2. Zimbra does not have access to the cacert that signed the LDAP server's cert

I've configured external auth in the admin interface, enabling TLS there and using the FQDN for the LDAP server. I also verified that the cacert from our local CA is in the Zimbra keystore (which makes sense, because it's the same CA that signed Zimbra's own certificate).

ldapsearch binds as user zimbra from the command line to the external LDAP server work fine even when forcing TLS with -ZZ.

What am I missing? Is there an ldap.conf somewhere that needs to be modified? I see that our local CA's cert is in /opt/zimbra/conf/ca with the appropriate hash'ed filename. It looks like everything is in place, but no dice.

Any thoughts?

[phoenix]

Requiring TLS for External Authentication is for users authenticating when they use the Zimbra server, it's not for an external LDAP authentication. This from the Admin UI help file:

Quote:

Enable authentication

Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail.

TLS authentication only

When checked, forces all SMTP auth to use Transaction Level Security (similar to SSL) to avoid passing passwords in the clear.

[flyerguybham]

I'm not sure I follow you. Here's my situation and goal:

User goes to Zimbra web interface (or attempts to log into Zimbra via their IMAP client). They provide a username and password. Zimbra attempts to use those credentials to bind to our centralized LDAP server in order to authenticate the user.

Right now Zimbra is sending that traffic in plain text. I want to use TLS to encrypt it. This means telling Zimbra to use TLS when it attempts to communicate with our LDAP server.

I'm going into my Zimbra admin interface, clicking domains, clicking my domain, clicking Configure Authentication, choosing External LDAP, giving the name of our LDAP server, and enabling StartTLS.

You said "Requiring TLS for External Authentication is for users authenticating when they use the Zimbra server, it's not for an external LDAP authentication". I think we are talking about the same thing - no?

[flyerguybham]

Ah, I see that you are looking at a different area of the admin interface. I'm not talking about configuring TLS for the MTA, I'm talking about when users log in to Zimbra via the web interface or IMAP clients. Here is the relevant portion of the admin UI help files:

Quote:

External LDAP

The external LDAP authentication mechanism attempts to bind to the specified directory server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid. You configure the following External LDAP settings:

*

LDAP URL and whether to use SSL or StartTLS. Enter the LDAP address. Check either to use SSL or StartTLS.
The default port is 389. If you use SSL, the default port is 636.
You can configure multiple external LDAP hosts.
*

LDAP filter. The filter defines the search rules used for directory searches and tries to map the user name to one user on the external LDAP. You should ensure that the filter you enter results in a single entry being matched, otherwise an authentication error is returned to the user.

Example of the search filter is (mail=%u@mycompany.com).

*

LDAP search base. To search within a specific part of your directory, enter a search base. It would be entered as (dc=server,dc=com).
*

Use DN/Password to bind to external server. If the filter you entered cannot be run using an anonymous bind, then enter the DN/password for a service account on the external LDAP that has been granted access to the attributes required to do the search.

Having figured out that confusion, we are back to the original problem. The STARTTLS to the external LDAP server is failing, and what I'm trying to determine is 1. why and 2. where the settings for external LDAP auth are stored in the config files so I can try to track down the problem.

It seems to me the most likely candidate is that it's not seeing the right cacert when it's making the connection to the external LDAP, but the cacert is in the jetty keystore, and it's also on the filesystem, so it could just be an ldap.conf somewhere needs editing, but all the ones I can see on the filesystem both within /opt/zimbra and /etc/ldap.conf and /etc/openldap/ldap.conf all look correct.

[phoenix]

Then this is probably what you're looking for: Bug 21107 – external ldap auth setup does not use starttls on port 389

[flyerguybham]

I don't think so. :-)

That bug is referring to using external LDAP for a GAL. Notice that in the Zimbra GAL Configuration Wizard for a domain, if you choose an external LDAP for your GAL it does not offer the option to start TLS.

However, in the Authentication Configuration Wizard TLS is an option, and unless there's a checkbox on the Zimbra interface that truly does nothing, then I don't think that bug applies to my situation.

If I click Domains -> click my domain -> click Configure Authentication -> choose External LDAP and click Next, notice that there's a checkbox on that page called "Enable StartTLS".

And when I enable it, I see that it *IS* trying to start a TLS connection, but it's failing with an error message that typically indicates a problem verifying the LDAP server's certificate against a CA cert.

I'm fairly confident that Zimbra supports what I want to do, and that it is a CA cert configuration issue. I've been enabling TLS all over our domain lately from clients to the LDAP server, and I've seen this error on many of them.

Normally I can just edit /etc/openldap/ldap.conf and /etc/ldap.conf and point them to the right cacert, but Zimbra stores certs both on the filesystem and inside the jetty keystore, and also has multiple ldap.conf files in non-standard locations, so I'm having a heck of a time tracking down where the configuration needs to happen.

[flyerguybham]

Actually I think you are right - I see that the bug poster was trying to do auth, too.

My new question would be - why the heck is the checkbox on the interface? :-)

I guess I need to hit the Bugzilla and find out if my problem is really his problem. Thanks for the pointer.

[flyerguybham]

And it seems they are still in the process of testing it for 6.0.0

Bug 37997 – auth failure due to bad tls connection to ldap

Bummer.