hi,
we're just evaluating zimbra to see if it fits our needs as a groupware package. to be able to do so, i want:
- authenticate users against an external openldap directory
- use indirect bind
- tls encryption to be mandatory
tls encryption on the ldap server is enforced via an acl entry for the zimbra server:
Code:
access to *
by dn="cn=admin,dc=foo,dc=bar" write
[...]
by peername.ip=<zimbraip> ssf=128 read
and a similar acl for userPassword, which works fine on the zimbra server:
Code:
zimbra@morbo:~$ ldapsearch -LLL -H ldap://<ldap server> -x -b dc=foo,dc=bar uid=someuser uid
No such object (32)
zimbra@morbo:~$ ldapsearch -LLL -H ldap://<ldap server> -ZZ -x -b dc=foo,dc=bar uid=someuser uid
dn: uid=someuser,ou=users,dc=foo,dc=bar
uid: someuser
zimbra@morbo:~$
now, zimbra seems to use starttls for bind operations only, but not for search operations. this causes the scheme outlined above to fail, since any non-encrypted connection won't return any results.
it would be nice if someone could show a way around this behaviour, which is a show stopper for us at the moment.
here are the slapd logs for reference:
with starttls unticked and no ssf=xxx on the ldap server:
Code:
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=3 fd=24 ACCEPT from IP=<zimbraip>:58139 (IP=0.0.0.0:389)
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=3 op=0 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)"
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=3 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 fd=25 ACCEPT from IP=193.104.220.20:58140 (IP=0.0.0.0:389)
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" method=128
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" mech=SIMPLE ssf=0
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 RESULT tag=97 err=0 text=
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=1 UNBIND
Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 fd=25 closed
-> works, but no tls encryption at all
with starttls ticked and no ssf=xxx on the ldap server:
Code:
Jun 8 14:09:22 <ldap server> slapd[29465]: conn=3 op=1 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)"
Jun 8 14:09:22 <ldap server> slapd[29465]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 ACCEPT from IP=<zimbraip>:58162 (IP=0.0.0.0:389)
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 STARTTLS
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 RESULT oid= err=0 text=
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 TLS established tls_ssf=256 ssf=256
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" method=128
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" mech=SIMPLE ssf=0
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 RESULT tag=97 err=0 text=
Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 closed (connection lost)
-> works, but the search operation does not use starttls
with starttls unticked and ssf=xxx on the ldap server:
Code:
Jun 8 14:18:04 <ldap server> slapd[10552]: conn=1 fd=24 ACCEPT from IP=<zimbraip>:45528 (IP=0.0.0.0:389)
Jun 8 14:18:04 <ldap server> slapd[10552]: conn=1 op=0 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)"
Jun 8 14:18:04 <ldap server> slapd[10552]: conn=1 op=0 SEARCH RESULT tag=101 err=32 nentries=0 text=
-> fails
with starttls ticked and ssf=xxx on the ldap server:
Code:
Jun 8 14:19:29 <ldap server> slapd[10552]: conn=1 op=1 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)"
Jun 8 14:19:29 <ldap server> slapd[10552]: conn=1 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
-> fails
tia,
thoralf.
Bugzilla
Wiki
Source
mandatory starttls for external ldap authentication 
Linear Mode
