Results 1 to 8 of 8

Thread: Enable LDAP over TLS _and_ SSL

  1. #1
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default Enable LDAP over TLS _and_ SSL

    I've read the various threads on LDAP TLS and SSL. It seems, for some reason, that Zimbra considers them mutually exclusive. The wiki shows disabling TLS if you want to enable SSL. I realize that ldaps is kind of a hack, but some LDAP clients (e.g. Thunderbird) only support SSL. In OpenLDAP, it's no problem to enable both. So, I tried setting the config using zmlocalconfig, then tried manually changing the localconfig.xml file. Zimbra errored with either of these approaches, does not like the <space> between URLs. So I tried altering the 'ldap' startup file in /opt/zimbra/bin, apparently successfully. In the start() section, I commented out the existing bind_url lines for zmslapd, and hard-coded the URLs.

    sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 \
    -u zimbra -h "ldap://mail.myserver.com:389 ldaps://mail.myserver.com:636" -f /opt/zimbra/conf/slapd.conf
    # -u zimbra -h "${bind_url}" -f /opt/zimbra/conf/slapd.conf

    There are 2 entries in the start() section, you need to alter them both.
    This should just add the 636 port for slapd to listen on. This should work, shouldn't it, and couldn't this be made part of the ordinary Zimbra config? So far, it seems to be working for me, including LDAP lookups over 636.

  2. #2
    Join Date
    Oct 2006
    Location
    Bangalore, India
    Posts
    95
    Rep Power
    8

    Default

    Hi LaFong,

    I am also looking an option for enabling ldaps in Zimbra for addressbook access. Currently they are telling Zimbra using TLS on port 389 and both TLS and SSL will not work simultaneously.

    On which version you did this and how is it working now.

    thanks,

    Premod

  3. #3
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    We're using the current version, 5.0.11. I did not try TLS on 389. LDAP on 389 and LDAPS (SSL) on 636 work simultaneously, we are using it now. I haven't gotten around to testing disabling anonymous binds, but the changes to slapd.conf.in are easy.

  4. #4
    Join Date
    Nov 2007
    Location
    Wilmore, KY
    Posts
    28
    Rep Power
    7

    Default

    Quote Originally Posted by LaFong View Post
    We're using the current version, 5.0.11. I did not try TLS on 389. LDAP on 389 and LDAPS (SSL) on 636 work simultaneously, we are using it now. I haven't gotten around to testing disabling anonymous binds, but the changes to slapd.conf.in are easy.
    How were you able to get zimbra's ldap to bind to both 389 and 636 simultaneously? I thought it could only bind to one or the other.

  5. #5
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Zimbra uses openldap. The openldap daemon, slapd, can listen to multiple IP addresses, ports, and sockets, merely by quoting them separated by spaces.
    OpenLDAP, Software, Man Pages: slapd
    Zimbra 5.x may only communicate with slapd via 389, but slapd can still listen on other ports for external ldap clients.
    Last edited by LaFong; 11-18-2009 at 03:27 PM.

  6. #6
    Join Date
    Feb 2009
    Posts
    188
    Rep Power
    6

    Exclamation

    did anyone enabled the zimbra's ldap on 389 and 636 (SSL) Simultaneously.
    I have default settings and have ldap on 389, and wanted to make it work on ssl i.e. 636.

    ???
    regards
    Adeel

  7. #7
    Join Date
    Sep 2009
    Location
    Philippines
    Posts
    11
    Rep Power
    6

    Default ldaps:// on 6.0.x

    i managed to make it work on zcs 6.0.x by "modifying" the bin/ldap script by adding an ldaps:// entry on the lines indicated by LaFong, but leaving the ${bind_url}:

    -u zimbra -h "${bind_url} ldaps://mail.myserver.com:636 ldapi:///" -F /opt/zimbra/data/ldap/config

    ldap now listens to both 389 (ldap://) and 636 (ldaps://).

  8. #8
    Join Date
    Nov 2008
    Location
    Denver, CO
    Posts
    221
    Rep Power
    6

    Default

    Yeah, I hardcoded both just to be sure it worked. I finally upgraded to 6.0.x, and decided to make them both variables:

    Add ldaps_url to localconfig:
    [zimbra@mail bin]# zmlocalconfig -e ldaps_url="ldaps://mail.mydomain.com:636"

    Modify bin/ldap
    [zimbra@mail bin]# diff -u ldap.orig ldap
    --- ldap.orig 2010-02-15 11:26:47.000000000 -0700
    +++ ldap 2010-02-15 12:39:27.000000000 -0700
    @@ -23,6 +23,7 @@
    zmsetvars \
    ldap_is_master \
    ldap_url \
    + ldaps_url \
    ldap_bind_url \
    ldap_master_url \
    ldap_replica_rid \
    @@ -126,13 +127,13 @@
    bind_url=$(echo ${ldap_url} | awk '{print $1}')
    fi
    sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 \
    - -u zimbra -h "${bind_url} ldapi:///" -F /opt/zimbra/data/ldap/config
    + -u zimbra -h "${bind_url} ${ldaps_url} ldapi:///" -F /opt/zimbra/data/ldap/config
    sleep 5
    for ((i =0; i < 6; i++)); do
    checkrunning
    if [ $RUNNING = 0 ]; then
    sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -4 \
    - -u zimbra -h "${bind_url} ldapi:///" -F /opt/zimbra/data/ldap/config
    + -u zimbra -h "${bind_url} ${ldaps_url} ldapi:///" -F /opt/zimbra/data/ldap/config
    else
    break
    fi

Similar Threads

  1. Replies: 8
    Last Post: 08-07-2008, 05:18 AM
  2. Upgrade: 4.5.5 -> 4.5.6 failed, LDAP/slapd issues
    By Daimyo in forum Installation
    Replies: 7
    Last Post: 08-04-2007, 09:23 PM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  5. Replies: 4
    Last Post: 11-15-2006, 11:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •