Results 1 to 10 of 11

Thread: LDAP/LDAPS - how to???

Hybrid View

  1. #1
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Question LDAP/LDAPS - how to???

    Hi,

    I have opened port 389 and port 636 in iptables on my zimbra server. So, I want to connect from a remote server to do some ldap authentication:

    This works (uses port 389 - regular LDAP)
    Code:
    ldapsearch -x -v -H 'ldap://zimbra.mydomain.com/' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
    This fails (uses port 636 - secure LDAP) and
    Code:
    ldapsearch -x -v -H 'ldaps://zimbra.mydomain.com/' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
    Here is the detailed output of this ldapsearch:
    Code:
    ldap_initialize( ldaps://zimbra.mydomain.com )
    ldap_create
    ldap_url_parse_ext(ldaps://zimbra.mydomain.com)
    Enter LDAP Password: 
    ldap_bind_s
    ldap_simple_bind_s
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_new_connection
    ldap_int_open_connection
    ldap_connect_to_host: TCP zimbra.mydomain.com:636
    ldap_new_socket: 3
    ldap_prepare_socket: 3
    ldap_connect_to_host: Trying 192.168.1.1:636
    ldap_connect_timeout: fd: 3 tm: -1 async: 0
    ldap_ndelay_on: 3
    ldap_is_sock_ready: 3
    ldap_is_socket_ready: error on socket 3: errno: 111 (Connection refused)
    ldap_close_socket: 3
    ldap_perror
    ldap_bind: Can't contact LDAP server (-1)
    So, zimbra is refusing the connection on 636, but firewall is open?

    So, let's see if LDAP is running on Zimbra (as root on zimbra box):
    Code:
    >nmap localhost
    Interesting ports on localhost.localdomain (127.0.0.1):
    Not shown: 1669 closed ports
    PORT      STATE SERVICE
    22/tcp    open  ssh
    25/tcp    open  smtp
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    143/tcp   open  imap
    443/tcp   open  https
    953/tcp   open  rndc
    993/tcp   open  imaps
    Yikes, nmap doesn't see any LDAP running?

    WTF?

    How does query on 389 work? Why is it failing on 636?

    So, I'm totally confused! Please enlighten this neophyte
    Last edited by jdell; 11-03-2006 at 05:25 PM.

  2. #2
    Join Date
    Feb 2006
    Location
    Pune, India
    Posts
    294
    Rep Power
    9

    Default

    Zimbra LDAP uses only 389 and not 636.

    Try "nmap your.hostname.com". The LDAP listens to your external IP not localhost.
    Regards,

    Chintan Zaveri
    (Yet another ZIMBRAN!)

    "Dhundhne par Bhagwan bhi ..."

  3. #3
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Default

    Quote Originally Posted by czaveri
    Zimbra LDAP uses only 389 and not 636.

    Try "nmap your.hostname.com". The LDAP listens to your external IP not localhost.
    Ok, seems odd that zimbra LDAP doesn't listen to localhost when it binds to everything else.

    But, I'm really baffled that Zimbra doesn't do secure LDAP

    Security 101 says anytime you pass username and password over the network, you should be using a secure protocol.

    Do you know a way to enable LDAPS for Zimbra?

  4. #4
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Question I don't know squat about LDAP... how to get client to trust server cert?

    Any LDAP gurus...

    Short version:
    Where is the Zimbra LDAP CA file and how do I install it on a client so I can do LDAP with TLS queries to the Zimbra Server?

    Long version:
    I figured out how I can manually start LDAPS by editing /opt/zimbra/bin/ldap, but after doing that and reading more, I realized that I don't need to do that because TLS can be initiated over regular LDAP on port 389, and that is what zimbra is setup to do.

    The ldapsearch command I'm running is now:
    Code:
    ldapsearch -x -Z -v -H 'ldap://zimbra.mydomain.com' -b 'ou=people,dc=mydomain,dc=com'  -D 'uid=jdell,ou=people,dc=mydomain,dc=com' -W
    So, the problem I'm running into now is that the client machine doesn't trust the SSL certificate used by Zimbra. When I run ldapsearch with -Z (start TLS) from the client to Zimbra, I get this:

    Code:
    ldap_start_tls: Connect error (-11)
            additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Docs here: http://www.openldap.org/faq/data/cache/185.html suggest that you should add the CA to the trusted CA's on the client.

    Where is the CA file that Zimbra uses for generating it's certificates?

    I see the slapd.key and slapd.crt in /opt/zimbra/conf but those are not CA files according to /opt/zimbra/conf/slapd.conf, they are TLSCertificateFile, and TLSCertificateKeyFile, not CA files.

    If I can't get the CA file, can you configure a client with just a copy the of the slapd.crt and slapd.key?

  5. #5
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Thumbs up Got it!!!!

    Wow, finally got it working!

    The machine I'm running the LDAP queries from is RHEL4 (as well as Zimbra). For different host OS's you may need to put the CA .pem file in a different place. Also, on RHEL4, there are 2 ldap.conf files! Adding the setting to /etc/ldap.conf won't work, but will in /etc/openldap/ldap.conf

    So, here are the steps:

    Copy the /opt/zimbra/conf/ca/ca.pem to /etc/openldap/cacerts on the target machine.

    Edit /etc/openldap/ldap.conf and add the following:
    TLS_CACERT /etc/openldap/cacerts/ca.pem (or whatever you named the file).

    This query will now work!

    Code:
    >ldapsearch -x -ZZ -v -H 'ldap://zimbra.domain.com' -b 'ou=people,dc=domain,dc=com'  -D 'uid=jdell,ou=people,dc=domain,dc=com' -W
    The -ZZ flag forces TLS and will fail if TLS doesn't negotiate properly.

    Woot!!!

  6. #6
    Join Date
    Feb 2006
    Location
    Pune, India
    Posts
    294
    Rep Power
    9

    Default

    Quote Originally Posted by jdell
    Wow, finally got it working!

    The machine I'm running the LDAP queries from is RHEL4 (as well as Zimbra). For different host OS's you may need to put the CA .pem file in a different place. Also, on RHEL4, there are 2 ldap.conf files! Adding the setting to /etc/ldap.conf won't work, but will in /etc/openldap/ldap.conf

    So, here are the steps:

    Copy the /opt/zimbra/conf/ca/ca.pem to /etc/openldap/cacerts on the target machine.

    Edit /etc/openldap/ldap.conf and add the following:
    TLS_CACERT /etc/openldap/cacerts/ca.pem (or whatever you named the file).

    This query will now work!

    Code:
    >ldapsearch -x -ZZ -v -H 'ldap://zimbra.domain.com' -b 'ou=people,dc=domain,dc=com'  -D 'uid=jdell,ou=people,dc=domain,dc=com' -W
    The -ZZ flag forces TLS and will fail if TLS doesn't negotiate properly.

    Woot!!!
    Great Job, jdell!

    Regards,

    Chintan Zaveri
    (Yet another ZIMBRAN!)

    "Dhundhne par Bhagwan bhi ..."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •