Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Installation
Reload this Page Configure LDAP for external access with ssl+authentication?

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-05-2008, 10:29 PM
Member
  
Posts: 10
Question Configure LDAP for external access with ssl+authentication?
I have a newly installed ZCS running behind a firewall with a split-dns setup. Currently everything works perfectly. I have opened up the SMTP, HTTPS, and IMAP SSL ports in my firewall and external access works.

I would like to open up the LDAP port on my firewall but I have read that the default configuration of Zimbra allows anybody to read the LDAP data. I have received some cryptic answers in another, related thread, about changing slapd.conf to limit connections to SSL and to require authentication to gain access.

I looked at the slapd.conf file and there is some commented out "access to" lines that are described as setting up authenticated access but I'm not sure if I after uncommenting those, if I need to comment out the other "access to" lines.

Can somebody provide a sample slapd.conf file that configures the LDAP server to only allow SSL encrypted connections that require the user to authenticate? Once I get that, then I can open the LDAP port on my firewall and external users can access the GAL without a VPN.

Thanks,
Dave
Last edited by dwhuseby; 06-05-2008 at 10:31 PM.. Reason: added link to other thread
Reply With Quote
  #2 (permalink)  
Old 06-05-2008, 10:36 PM
Member
  
Posts: 10
Default
Here's what I'm talking about:

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

So what do I put here to force the LDAP server to only accept SSL connections? I know that other Zimbra servers need to access the LDAP server, so how do I tell them to use SSL links to the LDAP server so that they can still connect? Is there a way to allow non-SSL local connections but still require remote connections to use SSL?

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth

I think I understand this part, but I'm not sure if I want to allow anyone to read the root and subschema (sub)entry DSE's. Ideally, I want the configuration to only allow authenticated users to read/write to the directory data.

Thanks,
Dave
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.