LinkBack URL
About LinkBacks
mandatory starttls for external ldap authentication
hi,
we're just evaluating zimbra to see if it fits our needs as a groupware package. to be able to do so, i want:
- authenticate users against an external openldap directory
- use indirect bind
- tls encryption to be mandatory
tls encryption on the ldap server is enforced via an acl entry for the zimbra server:
and a similar acl for userPassword, which works fine on the zimbra server:Code:access to * by dn="cn=admin,dc=foo,dc=bar" write [...] by peername.ip=<zimbraip> ssf=128 read
now, zimbra seems to use starttls for bind operations only, but not for search operations. this causes the scheme outlined above to fail, since any non-encrypted connection won't return any results.Code:zimbra@morbo:~$ ldapsearch -LLL -H ldap://<ldap server> -x -b dc=foo,dc=bar uid=someuser uid No such object (32) zimbra@morbo:~$ ldapsearch -LLL -H ldap://<ldap server> -ZZ -x -b dc=foo,dc=bar uid=someuser uid dn: uid=someuser,ou=users,dc=foo,dc=bar uid: someuser zimbra@morbo:~$
it would be nice if someone could show a way around this behaviour, which is a show stopper for us at the moment.
here are the slapd logs for reference:
with starttls unticked and no ssf=xxx on the ldap server:
-> works, but no tls encryption at allCode:Jun 8 14:07:10 <ldap server> slapd[29465]: conn=3 fd=24 ACCEPT from IP=<zimbraip>:58139 (IP=0.0.0.0:389) Jun 8 14:07:10 <ldap server> slapd[29465]: conn=3 op=0 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" Jun 8 14:07:10 <ldap server> slapd[29465]: conn=3 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 fd=25 ACCEPT from IP=193.104.220.20:58140 (IP=0.0.0.0:389) Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" method=128 Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" mech=SIMPLE ssf=0 Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 RESULT tag=97 err=0 text= Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 op=1 UNBIND Jun 8 14:07:10 <ldap server> slapd[29465]: conn=4 fd=25 closed
with starttls ticked and no ssf=xxx on the ldap server:
-> works, but the search operation does not use starttlsCode:Jun 8 14:09:22 <ldap server> slapd[29465]: conn=3 op=1 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" Jun 8 14:09:22 <ldap server> slapd[29465]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 ACCEPT from IP=<zimbraip>:58162 (IP=0.0.0.0:389) Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 STARTTLS Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 RESULT oid= err=0 text= Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 TLS established tls_ssf=256 ssf=256 Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" method=128 Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" mech=SIMPLE ssf=0 Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 RESULT tag=97 err=0 text= Jun 8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 closed (connection lost)
with starttls unticked and ssf=xxx on the ldap server:
-> failsCode:Jun 8 14:18:04 <ldap server> slapd[10552]: conn=1 fd=24 ACCEPT from IP=<zimbraip>:45528 (IP=0.0.0.0:389) Jun 8 14:18:04 <ldap server> slapd[10552]: conn=1 op=0 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" Jun 8 14:18:04 <ldap server> slapd[10552]: conn=1 op=0 SEARCH RESULT tag=101 err=32 nentries=0 text=
with starttls ticked and ssf=xxx on the ldap server:
-> failsCode:Jun 8 14:19:29 <ldap server> slapd[10552]: conn=1 op=1 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" Jun 8 14:19:29 <ldap server> slapd[10552]: conn=1 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
tia,
thoralf.
