Re: LDAP authentication and authorization using Debian and Active Directory

"AndrewHardy via Info" <info@xxxxxxxxxxxxxxxxxx> · Tue, 22 Jun 2021 06:57:42 +1200

Hi Jim,
No worries, understand your requirement to keep it confidential. Have you confirmed whether the CA certificate can be found/read?

Also wondering if you could perhaps just share the ldap configuration lines (cat imapd.conf | grep “ldap_”.

I’m curious if you have ldap_start_tls: configured e.g have you tried toggling starttls no/yes direct tls/ssl and curious if ldap_servers: ldap://ldap.server or ldaps://ldap.server to see if behaviour changes with different combinations?

Regards
Andrew

On 22/06/2021, at 03:24, jwallis@xxxxxxxxxxxxxxxxx wrote:

Hi Andrew,
I didn't have client certificate and key configured because I assumed ptclient would be happy just verifying the server certificate (the CA cert for it is installed and properly referenced in imapd.conf) the same as saslauthd and lpadsearch manage with. The other parameters are all configured and as far as I can see correct, i.e. the directory and file parameters point to the correct directory and file for the CA certificate.
In case the client cert and key were needed, I tried initially with the snakeoil cert and key (no difference) and then just in case that wasn't set up as a client cert, I created a new request and generated a new client/server certificate on my windows CA which I re-exported and is now in the correct location and referenced properly in imapd.conf, but still no change to how either ldaps, or starttls are failing.

I could share the entire impad.conf, but it is debian based so has a lot of comments and a lot of commented out options before you even get to the authorization section and I will need to be really careful to modify anything company specific, so I am trying not to share it, but will if it is the only way.

Thanks
Jim

Cyrus
  / Info / see
discussions
  +
participants
  +
delivery options
Permalink