Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: LDAP/LDAPS - how to???

  1. #1
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Question LDAP/LDAPS - how to???

    Hi,

    I have opened port 389 and port 636 in iptables on my zimbra server. So, I want to connect from a remote server to do some ldap authentication:

    This works (uses port 389 - regular LDAP)
    Code:
    ldapsearch -x -v -H 'ldap://zimbra.mydomain.com/' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
    This fails (uses port 636 - secure LDAP) and
    Code:
    ldapsearch -x -v -H 'ldaps://zimbra.mydomain.com/' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
    Here is the detailed output of this ldapsearch:
    Code:
    ldap_initialize( ldaps://zimbra.mydomain.com )
    ldap_create
    ldap_url_parse_ext(ldaps://zimbra.mydomain.com)
    Enter LDAP Password: 
    ldap_bind_s
    ldap_simple_bind_s
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection
    ldap_int_open_connection
    ldap_connect_to_host: TCP zimbra.mydomain.com:636
    ldap_new_socket: 3
    ldap_prepare_socket: 3
    ldap_connect_to_host: Trying 192.168.1.1:636
    ldap_connect_timeout: fd: 3 tm: -1 async: 0
    ldap_ndelay_on: 3
    ldap_is_sock_ready: 3
    ldap_is_socket_ready: error on socket 3: errno: 111 (Connection refused)
    ldap_close_socket: 3
    ldap_perror
    ldap_bind: Can't contact LDAP server (-1)
    So, zimbra is refusing the connection on 636, but firewall is open?

    So, let's see if LDAP is running on Zimbra (as root on zimbra box):
    Code:
    >nmap localhost
    Interesting ports on localhost.localdomain (127.0.0.1):
    Not shown: 1669 closed ports
    PORT      STATE SERVICE
    22/tcp    open  ssh
    25/tcp    open  smtp
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    143/tcp   open  imap
    443/tcp   open  https
    953/tcp   open  rndc
    993/tcp   open  imaps
    Yikes, nmap doesn't see any LDAP running?

    WTF?

    How does query on 389 work? Why is it failing on 636?

    So, I'm totally confused! Please enlighten this neophyte
    Last edited by jdell; 11-03-2006 at 05:25 PM.

  2. #2
    czaveri's Avatar
    czaveri is offline Former Zimbran
    Join Date
    Feb 2006
    Location
    Pune, India
    Posts
    294
    Rep Power
    9

    Default

    Zimbra LDAP uses only 389 and not 636.

    Try "nmap your.hostname.com". The LDAP listens to your external IP not localhost.
    Regards,

    Chintan Zaveri
    (Yet another ZIMBRAN!)

    "Dhundhne par Bhagwan bhi ..."

  3. #3
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by czaveri
    Zimbra LDAP uses only 389 and not 636.

    Try "nmap your.hostname.com". The LDAP listens to your external IP not localhost.
    Ok, seems odd that zimbra LDAP doesn't listen to localhost when it binds to everything else.

    But, I'm really baffled that Zimbra doesn't do secure LDAP

    Security 101 says anytime you pass username and password over the network, you should be using a secure protocol.

    Do you know a way to enable LDAPS for Zimbra?

  4. #4
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Question I don't know squat about LDAP... how to get client to trust server cert?

    Any LDAP gurus...

    Short version:
    Where is the Zimbra LDAP CA file and how do I install it on a client so I can do LDAP with TLS queries to the Zimbra Server?

    Long version:
    I figured out how I can manually start LDAPS by editing /opt/zimbra/bin/ldap, but after doing that and reading more, I realized that I don't need to do that because TLS can be initiated over regular LDAP on port 389, and that is what zimbra is setup to do.

    The ldapsearch command I'm running is now:
    Code:
    ldapsearch -x -Z -v -H 'ldap://zimbra.mydomain.com' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
    So, the problem I'm running into now is that the client machine doesn't trust the SSL certificate used by Zimbra. When I run ldapsearch with -Z (start TLS) from the client to Zimbra, I get this:

    Code:
    ldap_start_tls: Connect error (-11)
            additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Docs here: http://www.openldap.org/faq/data/cache/185.html suggest that you should add the CA to the trusted CA's on the client.

    Where is the CA file that Zimbra uses for generating it's certificates?

    I see the slapd.key and slapd.crt in /opt/zimbra/conf but those are not CA files according to /opt/zimbra/conf/slapd.conf, they are TLSCertificateFile, and TLSCertificateKeyFile, not CA files.

    If I can't get the CA file, can you configure a client with just a copy the of the slapd.crt and slapd.key?

  5. #5
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Thumbs up Got it!!!!

    Wow, finally got it working!

    The machine I'm running the LDAP queries from is RHEL4 (as well as Zimbra). For different host OS's you may need to put the CA .pem file in a different place. Also, on RHEL4, there are 2 ldap.conf files! Adding the setting to /etc/ldap.conf won't work, but will in /etc/openldap/ldap.conf

    So, here are the steps:

    Copy the /opt/zimbra/conf/ca/ca.pem to /etc/openldap/cacerts on the target machine.

    Edit /etc/openldap/ldap.conf and add the following:
    TLS_CACERT /etc/openldap/cacerts/ca.pem (or whatever you named the file).

    This query will now work!

    Code:
    >ldapsearch -x -ZZ -v -H 'ldap://zimbra.domain.com' -b 'ou=people,dc=domain,dc=com'  -D 'uid=jdell,ou=people,dc=domain,dc=com' -W
    The -ZZ flag forces TLS and will fail if TLS doesn't negotiate properly.

    Woot!!!

  6. #6
    czaveri's Avatar
    czaveri is offline Former Zimbran
    Join Date
    Feb 2006
    Location
    Pune, India
    Posts
    294
    Rep Power
    9

    Default

    Quote Originally Posted by jdell
    Wow, finally got it working!

    The machine I'm running the LDAP queries from is RHEL4 (as well as Zimbra). For different host OS's you may need to put the CA .pem file in a different place. Also, on RHEL4, there are 2 ldap.conf files! Adding the setting to /etc/ldap.conf won't work, but will in /etc/openldap/ldap.conf

    So, here are the steps:

    Copy the /opt/zimbra/conf/ca/ca.pem to /etc/openldap/cacerts on the target machine.

    Edit /etc/openldap/ldap.conf and add the following:
    TLS_CACERT /etc/openldap/cacerts/ca.pem (or whatever you named the file).

    This query will now work!

    Code:
    >ldapsearch -x -ZZ -v -H 'ldap://zimbra.domain.com' -b 'ou=people,dc=domain,dc=com'  -D 'uid=jdell,ou=people,dc=domain,dc=com' -W
    The -ZZ flag forces TLS and will fail if TLS doesn't negotiate properly.

    Woot!!!
    Great Job, jdell!

    Regards,

    Chintan Zaveri
    (Yet another ZIMBRAN!)

    "Dhundhne par Bhagwan bhi ..."

  7. #7
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    183
    Rep Power
    8

    Default

    Clarifying some things here... At least this is for the Network Ed...

    As the zimbra user, you would use the ldapsearch binaries within zimbra, under /opt/zimbra/openldap

    All you actually need to skip server cert verification is to add the following to the ldap.conf file (if you are doing the searches as the zimbra user, then the file to mod is /opt/zimbra/openldap/conf/ldap.conf)

    TLS_REQCERT never

    If you are doing this as root, or any other user, and provided you have the openldap utils installed, then the default config file would be under /etc/openldap/ldap.conf.

    My .02...

  8. #8
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by su_A_ve View Post
    Clarifying some things here... At least this is for the Network Ed...

    As the zimbra user, you would use the ldapsearch binaries within zimbra, under /opt/zimbra/openldap

    All you actually need to skip server cert verification is to add the following to the ldap.conf file (if you are doing the searches as the zimbra user, then the file to mod is /opt/zimbra/openldap/conf/ldap.conf)

    TLS_REQCERT never

    If you are doing this as root, or any other user, and provided you have the openldap utils installed, then the default config file would be under /etc/openldap/ldap.conf.

    My .02...
    That's great info. I wasn't aware of that flag.

    From googling, it sounds like the TLS handshake and all works the same so the network traffic is still encrypted, it just never tries to validate the cert with a CA, does that sound right?

    Thanks!

  9. #9
    su_A_ve is offline Advanced Member
    Join Date
    Dec 2006
    Posts
    183
    Rep Power
    8

    Default

    Quote Originally Posted by jdell View Post
    That's great info. I wasn't aware of that flag.

    From googling, it sounds like the TLS handshake and all works the same so the network traffic is still encrypted, it just never tries to validate the cert with a CA, does that sound right?

    Thanks!
    Yes. All that flag does is ignore the validity of the server's cert.

    If you would want to verify the server's cert, you can use the TLS_CACERTDIR variable to point to a directory that has the valid CA certificates (in pem format, and AFAIK, in the weird hex naming convention)

    There's also the TLS_CACERT variable that can be pointed to an actual file with the CA or chain of CAs certificates...

    My .02...

  10. #10
    azilber is offline Senior Member
    Join Date
    Feb 2007
    Posts
    52
    Rep Power
    8

    Default /etc/ldap.conf examples?

    any chance someone could post the /etc/ldap.conf from nss_ldap?

    I keep getting pam_ldap: error trying to bind (Invalid DN syntax), while this syntax seems to work just fine in /etc/openldap/ldap.conf.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •