Re: LDAP authentication and authorization using Debian and Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jim,

Would it be possible to share your imapd configuration? I’m wondering if you have any configuration line specifying the certificate and ca trust for ldap comms (client cert and key) and trusting the issuing of the server cert?

Just reading the doc, at least in 2.5 release notes the following changes appear to have been made. Just wondering if it isn’t attempting secure negotiation due to not finding or being able to read certs (that I suspect are necessary)? Just a stab in the dark. 

Option Name Changes for ldap_tls_*

Configuration option names for LDAP SSL/TLS configuration in imapd.conf(5) have been changed:

ldap_ca_dir (was: ldap_tls_cacert_dir)

ldap_ca_file (was: ldap_tls_cacert_file)

ldap_client_cert (was: ldap_tls_cert)

ldap_verify_peer (was: ldap_tls_check_peer)

ldap_ciphers (was: ldap_tls_ciphers)

ldap_client_key (was: ldap_tls_key)

Regards


Sent from my iPhone

On 19/06/2021, at 04:07, jwallis@xxxxxxxxxxxxxxxxx wrote:


Enabling TLS was not as straightforward as I'd hoped.

If I use ldaps://...:636
ptload does not appear to even attempt to negotiate TLS  connection ne simply reports that a simple bind failed.

If I use ldap://...:389 and enable ldap_start_tls: 1
ptload sends LDAP_START_TLS_OID
The server responds with LDAP_START_TLS_OID
The client then sends something in SSL and the process times out.

If I use ldapsearch with the ldaps://...:636 and the same bind credentials, it issues a client Hello the server responds with server hello and they negotiate a TLS1.2 connection and data is passed.

If I use ldapsearch with the ldap://...:389, -ZZ and the same bind credentials
ldapsearch sends LDAP_START_TLS_OID
The server responds with LDAP_START_TLS_OID
ldapsearch then sends client hello, servers responds and offer certificates and TLS1.2 connection is negotiated and data is passed.

Is there something messed up in ptload so it isn't sending a client hello to start a TLS session? I don't see anything in the imap.conf options that would affect this, I have set the path to the CA cert for the LDAP server so it will be happy once it gets the certificate, but it isn't even asking for the certificate.

Did I miss something at compile time that is needed to get ptload built with SSL support? Cyrus-imapd has it OK, it offers starttls to the client (e.g. imtest) and negotiates its fine, but ptloader doesn't seem to know about starting a TLS session.

My imap server and my LDAP server are both on the same LAN so TLS between them is not critical right now, but I think microsoft will look to enforce encrypted LDAP lookups on AD DCs in the future so it would be best to get it working now if possible.

Regards
Jim

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux