Results 1 to 1 of 1

Thread: mandatory starttls for external ldap authentication

  1. #1
    Join Date
    Jun 2011
    Posts
    1
    Rep Power
    4

    Default mandatory starttls for external ldap authentication

    hi,

    we're just evaluating zimbra to see if it fits our needs as a groupware package. to be able to do so, i want:

    - authenticate users against an external openldap directory
    - use indirect bind
    - tls encryption to be mandatory

    tls encryption on the ldap server is enforced via an acl entry for the zimbra server:
    Code:
    access to *
     by dn="cn=admin,dc=foo,dc=bar" write
    [...]
     by peername.ip=<zimbraip> ssf=128 read
    and a similar acl for userPassword, which works fine on the zimbra server:
    Code:
    zimbra@morbo:~$ ldapsearch -LLL -H ldap://<ldap server> -x -b dc=foo,dc=bar uid=someuser uid
    No such object (32)
    zimbra@morbo:~$ ldapsearch -LLL -H ldap://<ldap server> -ZZ -x -b dc=foo,dc=bar uid=someuser uid
    dn: uid=someuser,ou=users,dc=foo,dc=bar
    uid: someuser
    zimbra@morbo:~$
    now, zimbra seems to use starttls for bind operations only, but not for search operations. this causes the scheme outlined above to fail, since any non-encrypted connection won't return any results.

    it would be nice if someone could show a way around this behaviour, which is a show stopper for us at the moment.

    here are the slapd logs for reference:

    with starttls unticked and no ssf=xxx on the ldap server:
    Code:
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=3 fd=24 ACCEPT from IP=<zimbraip>:58139 (IP=0.0.0.0:389) 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=3 op=0 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=3 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=4 fd=25 ACCEPT from IP=193.104.220.20:58140 (IP=0.0.0.0:389) 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" method=128 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" mech=SIMPLE ssf=0 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=4 op=0 RESULT tag=97 err=0 text= 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=4 op=1 UNBIND 
    Jun  8 14:07:10 <ldap server> slapd[29465]: conn=4 fd=25 closed
    -> works, but no tls encryption at all

    with starttls ticked and no ssf=xxx on the ldap server:
    Code:
    Jun  8 14:09:22 <ldap server> slapd[29465]: conn=3 op=1 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" 
    Jun  8 14:09:22 <ldap server> slapd[29465]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 ACCEPT from IP=<zimbraip>:58162 (IP=0.0.0.0:389) 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 EXT oid=1.3.6.1.4.1.1466.20037 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 STARTTLS 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 op=0 RESULT oid= err=0 text= 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 TLS established tls_ssf=256 ssf=256 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" method=128 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 BIND dn="uid=someuser,ou=users,dc=foo,dc=bar" mech=SIMPLE ssf=0 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 op=1 RESULT tag=97 err=0 text= 
    Jun  8 14:09:23 <ldap server> slapd[29465]: conn=6 fd=26 closed (connection lost)
    -> works, but the search operation does not use starttls

    with starttls unticked and ssf=xxx on the ldap server:
    Code:
    Jun  8 14:18:04 <ldap server> slapd[10552]: conn=1 fd=24 ACCEPT from IP=<zimbraip>:45528 (IP=0.0.0.0:389) 
    Jun  8 14:18:04 <ldap server> slapd[10552]: conn=1 op=0 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" 
    Jun  8 14:18:04 <ldap server> slapd[10552]: conn=1 op=0 SEARCH RESULT tag=101 err=32 nentries=0 text=
    -> fails

    with starttls ticked and ssf=xxx on the ldap server:
    Code:
    Jun  8 14:19:29 <ldap server> slapd[10552]: conn=1 op=1 SRCH base="dc=foo,dc=bar" scope=2 deref=3 filter="(uid=someuser)" 
    Jun  8 14:19:29 <ldap server> slapd[10552]: conn=1 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
    -> fails

    tia,
    thoralf.
    Last edited by thoralf; 06-08-2011 at 05:37 AM.

Similar Threads

  1. External LDAP authentication problem
    By mchamboredon in forum Installation
    Replies: 2
    Last Post: 01-16-2008, 09:02 AM
  2. Ldap authentication fails but ldapsearch works
    By jherington in forum Installation
    Replies: 3
    Last Post: 11-19-2007, 10:51 PM
  3. External LDAP Authentication Issue
    By xtreme-one in forum Installation
    Replies: 10
    Last Post: 02-16-2007, 06:52 PM
  4. LDAP Authentication issue
    By premoddev in forum Administrators
    Replies: 7
    Last Post: 12-22-2006, 07:15 AM
  5. Authentication to external ldap stop working.
    By jahaj in forum Installation
    Replies: 3
    Last Post: 12-05-2006, 02:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •