LDAP/LDAPS - how to???

[jdell]

Hi,

I have opened port 389 and port 636 in iptables on my zimbra server. So, I want to connect from a remote server to do some ldap authentication:

This works (uses port 389 - regular LDAP)

Code:

ldapsearch -x -v -H 'ldap://zimbra.mydomain.com/' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W

This fails (uses port 636 - secure LDAP) and

Code:

ldapsearch -x -v -H 'ldaps://zimbra.mydomain.com/' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W

Here is the detailed output of this ldapsearch:

Code:

ldap_initialize( ldaps://zimbra.mydomain.com )
ldap_create
ldap_url_parse_ext(ldaps://zimbra.mydomain.com)
Enter LDAP Password: 
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP zimbra.mydomain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_is_socket_ready: error on socket 3: errno: 111 (Connection refused)
ldap_close_socket: 3
ldap_perror
ldap_bind: Can't contact LDAP server (-1)

So, zimbra is refusing the connection on 636, but firewall is open?

So, let's see if LDAP is running on Zimbra (as root on zimbra box):

Code:

>nmap localhost
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1669 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
143/tcp   open  imap
443/tcp   open  https
953/tcp   open  rndc
993/tcp   open  imaps

Yikes, nmap doesn't see any LDAP running?

WTF?

How does query on 389 work? Why is it failing on 636?

So, I'm totally confused! Please enlighten this neophyte

[czaveri]

Zimbra LDAP uses only 389 and not 636.

Try "nmap your.hostname.com". The LDAP listens to your external IP not localhost.

[jdell]

Quote:

Originally Posted by czaveri

Zimbra LDAP uses only 389 and not 636.

Try "nmap your.hostname.com". The LDAP listens to your external IP not localhost.

Ok, seems odd that zimbra LDAP doesn't listen to localhost when it binds to everything else.

But, I'm really baffled that Zimbra doesn't do secure LDAP

Security 101 says anytime you pass username and password over the network, you should be using a secure protocol.

Do you know a way to enable LDAPS for Zimbra?

[jdell]

Any LDAP gurus...

Short version:
Where is the Zimbra LDAP CA file and how do I install it on a client so I can do LDAP with TLS queries to the Zimbra Server?

Long version:
I figured out how I can manually start LDAPS by editing /opt/zimbra/bin/ldap, but after doing that and reading more, I realized that I don't need to do that because TLS can be initiated over regular LDAP on port 389, and that is what zimbra is setup to do.

The ldapsearch command I'm running is now:

Code:

ldapsearch -x -Z -v -H 'ldap://zimbra.mydomain.com' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W

So, the problem I'm running into now is that the client machine doesn't trust the SSL certificate used by Zimbra. When I run ldapsearch with -Z (start TLS) from the client to Zimbra, I get this:

Code:

ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Docs here: http://www.openldap.org/faq/data/cache/185.html suggest that you should add the CA to the trusted CA's on the client.

Where is the CA file that Zimbra uses for generating it's certificates?

I see the slapd.key and slapd.crt in /opt/zimbra/conf but those are not CA files according to /opt/zimbra/conf/slapd.conf, they are TLSCertificateFile, and TLSCertificateKeyFile, not CA files.

If I can't get the CA file, can you configure a client with just a copy the of the slapd.crt and slapd.key?

[jdell]

Wow, finally got it working!

The machine I'm running the LDAP queries from is RHEL4 (as well as Zimbra). For different host OS's you may need to put the CA .pem file in a different place. Also, on RHEL4, there are 2 ldap.conf files! Adding the setting to /etc/ldap.conf won't work, but will in /etc/openldap/ldap.conf

So, here are the steps:

Copy the /opt/zimbra/conf/ca/ca.pem to /etc/openldap/cacerts on the target machine.

Edit /etc/openldap/ldap.conf and add the following:
TLS_CACERT /etc/openldap/cacerts/ca.pem (or whatever you named the file).

This query will now work!

Code:

>ldapsearch -x -ZZ -v -H 'ldap://zimbra.domain.com' -b 'ou=people,dc=domain,dc=com'  -D 'uid=jdell,ou=people,dc=domain,dc=com' -W

The -ZZ flag forces TLS and will fail if TLS doesn't negotiate properly.

Woot!!!

[czaveri]

Quote:

Originally Posted by jdell

Wow, finally got it working!

The machine I'm running the LDAP queries from is RHEL4 (as well as Zimbra). For different host OS's you may need to put the CA .pem file in a different place. Also, on RHEL4, there are 2 ldap.conf files! Adding the setting to /etc/ldap.conf won't work, but will in /etc/openldap/ldap.conf

So, here are the steps:

Copy the /opt/zimbra/conf/ca/ca.pem to /etc/openldap/cacerts on the target machine.

Edit /etc/openldap/ldap.conf and add the following:
TLS_CACERT /etc/openldap/cacerts/ca.pem (or whatever you named the file).

This query will now work!

Code:

>ldapsearch -x -ZZ -v -H 'ldap://zimbra.domain.com' -b 'ou=people,dc=domain,dc=com'  -D 'uid=jdell,ou=people,dc=domain,dc=com' -W

The -ZZ flag forces TLS and will fail if TLS doesn't negotiate properly.

Woot!!!

Great Job, jdell!

[su_A_ve]

Clarifying some things here... At least this is for the Network Ed...

As the zimbra user, you would use the ldapsearch binaries within zimbra, under /opt/zimbra/openldap

All you actually need to skip server cert verification is to add the following to the ldap.conf file (if you are doing the searches as the zimbra user, then the file to mod is /opt/zimbra/openldap/conf/ldap.conf)

TLS_REQCERT never

If you are doing this as root, or any other user, and provided you have the openldap utils installed, then the default config file would be under /etc/openldap/ldap.conf.

My .02...

[jdell]

Quote:

Originally Posted by su_A_ve

Clarifying some things here... At least this is for the Network Ed...

As the zimbra user, you would use the ldapsearch binaries within zimbra, under /opt/zimbra/openldap

All you actually need to skip server cert verification is to add the following to the ldap.conf file (if you are doing the searches as the zimbra user, then the file to mod is /opt/zimbra/openldap/conf/ldap.conf)

TLS_REQCERT never

If you are doing this as root, or any other user, and provided you have the openldap utils installed, then the default config file would be under /etc/openldap/ldap.conf.

My .02...

That's great info. I wasn't aware of that flag.

From googling, it sounds like the TLS handshake and all works the same so the network traffic is still encrypted, it just never tries to validate the cert with a CA, does that sound right?

Thanks!

[su_A_ve]

Quote:

Originally Posted by jdell

That's great info. I wasn't aware of that flag.

From googling, it sounds like the TLS handshake and all works the same so the network traffic is still encrypted, it just never tries to validate the cert with a CA, does that sound right?

Thanks!

Yes. All that flag does is ignore the validity of the server's cert.

If you would want to verify the server's cert, you can use the TLS_CACERTDIR variable to point to a directory that has the valid CA certificates (in pem format, and AFAIK, in the weird hex naming convention)

There's also the TLS_CACERT variable that can be pointed to an actual file with the CA or chain of CAs certificates...

My .02...

[azilber]

any chance someone could post the /etc/ldap.conf from nss_ldap?

I keep getting pam_ldap: error trying to bind (Invalid DN syntax), while this syntax seems to work just fine in /etc/openldap/ldap.conf.