Results 1 to 2 of 2

Thread: Configure LDAP for external access with ssl+authentication?

  1. #1
    dwhuseby is offline Member
    Join Date
    May 2008
    Posts
    10
    Rep Power
    7

    Question Configure LDAP for external access with ssl+authentication?

    I have a newly installed ZCS running behind a firewall with a split-dns setup. Currently everything works perfectly. I have opened up the SMTP, HTTPS, and IMAP SSL ports in my firewall and external access works.

    I would like to open up the LDAP port on my firewall but I have read that the default configuration of Zimbra allows anybody to read the LDAP data. I have received some cryptic answers in another, related thread, about changing slapd.conf to limit connections to SSL and to require authentication to gain access.

    I looked at the slapd.conf file and there is some commented out "access to" lines that are described as setting up authenticated access but I'm not sure if I after uncommenting those, if I need to comment out the other "access to" lines.

    Can somebody provide a sample slapd.conf file that configures the LDAP server to only allow SSL encrypted connections that require the user to authenticate? Once I get that, then I can open the LDAP port on my firewall and external users can access the GAL without a VPN.

    Thanks,
    Dave
    Last edited by dwhuseby; 06-05-2008 at 10:31 PM. Reason: added link to other thread

  2. #2
    dwhuseby is offline Member
    Join Date
    May 2008
    Posts
    10
    Rep Power
    7

    Default

    Here's what I'm talking about:

    # Sample security restrictions
    # Require integrity protection (prevent hijacking)
    # Require 112-bit (3DES or better) encryption for updates
    # Require 63-bit encryption for simple bind
    # security ssf=1 update_ssf=112 simple_bind=64

    So what do I put here to force the LDAP server to only accept SSL connections? I know that other Zimbra servers need to access the LDAP server, so how do I tell them to use SSL links to the LDAP server so that they can still connect? Is there a way to allow non-SSL local connections but still require remote connections to use SSL?

    # Sample access control policy:
    # Root DSE: allow anyone to read it
    # Subschema (sub)entry DSE: allow anyone to read it
    # Other DSEs:
    # Allow self write access
    # Allow authenticated users read access
    # Allow anonymous users to authenticate
    # Directives needed to implement policy:
    # access to dn.base="" by * read
    # access to dn.base="cn=Subschema" by * read
    # access to *
    # by self write
    # by users read
    # by anonymous auth

    I think I understand this part, but I'm not sure if I want to allow anyone to read the root and subschema (sub)entry DSE's. Ideally, I want the configuration to only allow authenticated users to read/write to the directory data.

    Thanks,
    Dave

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. external ldap authentication over SSL problem
    By eyablon in forum Administrators
    Replies: 2
    Last Post: 05-05-2014, 03:44 AM
  2. [SOLVED] Build Zimbra..a little problem...
    By Abdelmonam Kouka in forum Developers
    Replies: 33
    Last Post: 05-22-2008, 05:10 AM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 03:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •