Results 1 to 8 of 8

Thread: External LDAP auth + TLS + import cacert

  1. #1
    Join Date
    Sep 2006
    Posts
    26
    Rep Power
    9

    Default External LDAP auth + TLS + import cacert

    I'm doing external LDAP auth and our LDAP server cert is signed by our local CA. When I enable TLS in Zimbra's external authentication settings, and then I set our LDAP server to require TLS, the Zimbra authentication is failing with "LDAP: error code 49 - Invalid Credentials". If I allow the LDAP server to accept non-TLS binds if STARTTLS fails, then it works.

    In my experience, this means one of two things:

    1. Zimbra is not using the FQDN for the LDAP server
    or
    2. Zimbra does not have access to the cacert that signed the LDAP server's cert

    I've configured external auth in the admin interface, enabling TLS there and using the FQDN for the LDAP server. I also verified that the cacert from our local CA is in the Zimbra keystore (which makes sense, because it's the same CA that signed Zimbra's own certificate).

    ldapsearch binds as user zimbra from the command line to the external LDAP server work fine even when forcing TLS with -ZZ.

    What am I missing? Is there an ldap.conf somewhere that needs to be modified? I see that our local CA's cert is in /opt/zimbra/conf/ca with the appropriate hash'ed filename. It looks like everything is in place, but no dice.

    Any thoughts?

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Requiring TLS for External Authentication is for users authenticating when they use the Zimbra server, it's not for an external LDAP authentication. This from the Admin UI help file:

    Enable authentication

    Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail.

    TLS authentication only

    When checked, forces all SMTP auth to use Transaction Level Security (similar to SSL) to avoid passing passwords in the clear.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Sep 2006
    Posts
    26
    Rep Power
    9

    Default

    I'm not sure I follow you. Here's my situation and goal:

    User goes to Zimbra web interface (or attempts to log into Zimbra via their IMAP client). They provide a username and password. Zimbra attempts to use those credentials to bind to our centralized LDAP server in order to authenticate the user.

    Right now Zimbra is sending that traffic in plain text. I want to use TLS to encrypt it. This means telling Zimbra to use TLS when it attempts to communicate with our LDAP server.

    I'm going into my Zimbra admin interface, clicking domains, clicking my domain, clicking Configure Authentication, choosing External LDAP, giving the name of our LDAP server, and enabling StartTLS.

    You said "Requiring TLS for External Authentication is for users authenticating when they use the Zimbra server, it's not for an external LDAP authentication". I think we are talking about the same thing - no?

  4. #4
    Join Date
    Sep 2006
    Posts
    26
    Rep Power
    9

    Default

    Ah, I see that you are looking at a different area of the admin interface. I'm not talking about configuring TLS for the MTA, I'm talking about when users log in to Zimbra via the web interface or IMAP clients. Here is the relevant portion of the admin UI help files:

    External LDAP

    The external LDAP authentication mechanism attempts to bind to the specified directory server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid. You configure the following External LDAP settings:

    *

    LDAP URL and whether to use SSL or StartTLS. Enter the LDAP address. Check either to use SSL or StartTLS.
    The default port is 389. If you use SSL, the default port is 636.
    You can configure multiple external LDAP hosts.
    *

    LDAP filter. The filter defines the search rules used for directory searches and tries to map the user name to one user on the external LDAP. You should ensure that the filter you enter results in a single entry being matched, otherwise an authentication error is returned to the user.

    Example of the search filter is (mail=%u@mycompany.com).

    *

    LDAP search base. To search within a specific part of your directory, enter a search base. It would be entered as (dc=server,dc=com).
    *

    Use DN/Password to bind to external server. If the filter you entered cannot be run using an anonymous bind, then enter the DN/password for a service account on the external LDAP that has been granted access to the attributes required to do the search.
    Having figured out that confusion, we are back to the original problem. The STARTTLS to the external LDAP server is failing, and what I'm trying to determine is 1. why and 2. where the settings for external LDAP auth are stored in the config files so I can try to track down the problem.

    It seems to me the most likely candidate is that it's not seeing the right cacert when it's making the connection to the external LDAP, but the cacert is in the jetty keystore, and it's also on the filesystem, so it could just be an ldap.conf somewhere needs editing, but all the ones I can see on the filesystem both within /opt/zimbra and /etc/ldap.conf and /etc/openldap/ldap.conf all look correct.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Sep 2006
    Posts
    26
    Rep Power
    9

    Default

    I don't think so. :-)

    That bug is referring to using external LDAP for a GAL. Notice that in the Zimbra GAL Configuration Wizard for a domain, if you choose an external LDAP for your GAL it does not offer the option to start TLS.

    However, in the Authentication Configuration Wizard TLS is an option, and unless there's a checkbox on the Zimbra interface that truly does nothing, then I don't think that bug applies to my situation.

    If I click Domains -> click my domain -> click Configure Authentication -> choose External LDAP and click Next, notice that there's a checkbox on that page called "Enable StartTLS".

    And when I enable it, I see that it *IS* trying to start a TLS connection, but it's failing with an error message that typically indicates a problem verifying the LDAP server's certificate against a CA cert.

    I'm fairly confident that Zimbra supports what I want to do, and that it is a CA cert configuration issue. I've been enabling TLS all over our domain lately from clients to the LDAP server, and I've seen this error on many of them.

    Normally I can just edit /etc/openldap/ldap.conf and /etc/ldap.conf and point them to the right cacert, but Zimbra stores certs both on the filesystem and inside the jetty keystore, and also has multiple ldap.conf files in non-standard locations, so I'm having a heck of a time tracking down where the configuration needs to happen.

  7. #7
    Join Date
    Sep 2006
    Posts
    26
    Rep Power
    9

    Default

    Actually I think you are right - I see that the bug poster was trying to do auth, too.

    My new question would be - why the heck is the checkbox on the interface? :-)

    I guess I need to hit the Bugzilla and find out if my problem is really his problem. Thanks for the pointer.

  8. #8
    Join Date
    Sep 2006
    Posts
    26
    Rep Power
    9

    Default

    And it seems they are still in the process of testing it for 6.0.0

    Bug 37997 – auth failure due to bad tls connection to ldap

    Bummer.

Similar Threads

  1. Round robin DNS, and external ldap auth.
    By NathanL in forum Installation
    Replies: 0
    Last Post: 05-07-2009, 12:45 PM
  2. Ldap External auth not working
    By bvsantos in forum Administrators
    Replies: 1
    Last Post: 05-30-2008, 05:01 AM
  3. External LDAP Auth with TLS
    By bvsantos in forum Administrators
    Replies: 1
    Last Post: 05-13-2008, 09:20 AM
  4. Zimbra External LDAP auth
    By Vintik in forum Migration
    Replies: 3
    Last Post: 01-30-2007, 01:25 AM
  5. LDAP External Auth Fedora Directory Services
    By prpatrol in forum Administrators
    Replies: 3
    Last Post: 08-14-2006, 06:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •