1

Topic: Fails to configure LDAP over TLS

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5.-1
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Hi!
Is there a need in the address book access LDAP from outside the network. Use LetsEncrypt SSL certificate.
Trying to configure in accordance with this instruction: http://www.iredmail.org/docs/use.a.boug … cate.html.
In /etc/ldap/slapd.conf made the following changes:
TLSCACertificateFile /etc/letsencrypt/live/mail.mydomain.ru/fullchain.pem
TLSCertificateFile /etc/letsencrypt/live/mail.mydomain.ru/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/mail.mydomain.ru/privkey.pem

After these changes, slapd does not start.
In the logs appears the next error:
....
Sep  4 16:14:05 mail slapd[1016]: main: TLS init def ctx failed: -1
Sep  4 16:14:05 mail slapd[1016]: slapd destroy: freeing system resources.
Sep  4 16:14:05 mail slapd[1016]: slapd stopped.
Sep  4 16:14:05 mail slapd[1016]: connections_destroy: nothing to destroy.

What am I doing wrong?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Fails to configure LDAP over TLS

imak wrote:

TLSCACertificateFile /etc/letsencrypt/live/mail.mydomain.ru/fullchain.pem

Try 'chain.pem' instead of fullchain.pem.

3

Re: Fails to configure LDAP over TLS

Thanks for the quick response.
I replaced fullchain.pem on the chain.pem, but SLAPD still does not start.
In the logs there is a mention apparrmor. Perhaps now the reason is apparmor.
Now I have no way to check. Tomorrow morning I'll try.

4

Re: Fails to configure LDAP over TLS

If it doesn't work, please grab the full original error message and paste here, so that others can help troubleshoot.

5

Re: Fails to configure LDAP over TLS

It worked for me!
If necessary, I am prepared to write what and where is further configured on the server to achieve a result.

6

Re: Fails to configure LDAP over TLS

Please share it. smile

7 (edited by imak 2016-09-09 23:30:16)

Re: Fails to configure LDAP over TLS

Having fun doing it! smile

Configuring access to global address book via the encrypted channel.
The source data:
- iRedMail version: 0.9.5.-1
- OS: Ubuntu 14.04
- Store mail accounts in which backend: LDAP
- Web server: Nginx
- Issuing the SSL certificate: Let's Encrypt

Task to configure access to the LDAP directory using SSL.

1. Make changes to the LDAP configuration file.
Instead of self-signed certificates iRedMail writing received from Let's Encrypt.

$ sudo vim /etc/ldap/slapd.conf

TLSCACertificateFile /etc/letsencrypt/live/mail.MYDOMAIN.LTD/chain.pem
TLSCertificateFile /etc/letsencrypt/live/mail.MYDOMAIN.LTD/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/mail.MYDOMAIN.LTD/privkey.pem

Don't forget to replace MAIL.MYDOAMIN.LTD to your domain

Ubuntu uses Apparmor, which blocks the new path to the certificates.
In the result of ldap when you restart doesn't start.
I translated slapd from enforce mode to complain mode.

$ sudo aa-complain /etc/apparmor.d/usr.sbin.slapd

Now need to fix the file /etc/default/slapd by citing the following line to this:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Now need to restart slapd

$ sudo service slapd restart

Then edited file /etc/default/iptables and remove the comment from following lines

-A INPUT -p tcp --dport 636 -j ACCEPT

Now need to restart iptables

$ sudo service iptables restart

Check from another host that ldaps is now available outside

imak@lucifer:~$ nmap mail.maydomain.ltd
......
Not shown: 991 filtered ports
PORT     STATE  SERVICE
25/tcp   open   smtp
80/tcp   open   http
143/tcp  open   imap
389/tcp  open   ldap
443/tcp  open   https
587/tcp  open   submission
636/tcp  open   ldapssl
993/tcp  open   imaps
3306/tcp closed mysql

Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds

It is now possible to configure Thunderbird to connect to the global address book using 636 port.

Sorry again for my English.
And correct me if there are errors in the design.
This is my first experience.

8

Re: Fails to configure LDAP over TLS

Thanks for sharing.

Curious, why not use port 389 with STARTTLS?

9

Re: Fails to configure LDAP over TLS

I just don't know how to do it correctly
This will be the next step smile

10

Re: Fails to configure LDAP over TLS

No big difference than the normal plain connection, just execute starttls related directive to establish secure connection. Nearly same as SMTP over TLS (submission, port 587).

Standalone SSL services like SMTPS (smtp over SSL) and LDAPS (ldap over SSL) will be deprecated in the future, use same port but with TLS layer is recommended.

11

Re: Fails to configure LDAP over TLS

ZhangHuangbin wrote:

No big difference than the normal plain connection, just execute starttls related directive to establish secure connection. Nearly same as SMTP over TLS (submission, port 587).

Standalone SSL services like SMTPS (smtp over SSL) and LDAPS (ldap over SSL) will be deprecated in the future, use same port but with TLS layer is recommended.

Could you maybe explain it in detail howto secure outgoing connections using STARTTLS?

12

Re: Fails to configure LDAP over TLS

Excuse me, what do you mean "secure outgoing connections using STARTTLS"?

*) While user submitting email from MUA to server, the connection is secured with submission service (SMTP over TLS, port 587).
*) While your server sends email to destination server, with Postfix setting "smtp_tls_security_level = may", it will try to establish secure connection to destination server first, if failed, fall back to plain connection. Reference:
http://www.postfix.org/postconf.5.html# … rity_level

Note: the destination server must support this feature, otherwise your Postfix cannot establish the secure connection.

13 (edited by alex42 2016-10-04 11:55:00)

Re: Fails to configure LDAP over TLS

ZhangHuangbin wrote:

Excuse me, what do you mean "secure outgoing connections using STARTTLS

I've meant the connection from another machine to the OpenLDAP. How can I ensure that these connections are encrypted by STARTTLS?

14

Re: Fails to configure LDAP over TLS

Turn on debug mode in OpenLDAP, it will log related info, including TLS/SSL. Reference:
http://www.iredmail.org/docs/debug.openldap.html

15 (edited by alex42 2016-10-10 20:34:17)

Re: Fails to configure LDAP over TLS

I've done so:

ZhangHuangbin wrote:

Turn on debug mode in OpenLDAP, it will log related info, including TLS/SSL. Reference:
http://www.iredmail.org/docs/debug.openldap.html

but in my case OpenLDAP is logging into syslog (iRedMail 0.8.7) and I've got the following:

Oct 10 14:16:41 example slapd[16787]: conn=1003 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Oct 10 14:16:41 example slapd[16787]: conn=1003 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Oct 10 14:16:41 example slapd[16787]: conn=1003 op=0 RESULT tag=97 err=0 text=

Am I right that this means that the connection is unencrypted? How should it look if it is encrypted? And what can I do to activate encryption.

If I'm trying to force STARTTLS by using this command:

 ldapwhoami -H ldap://example.com -x -ZZ

I get the follwing error message:

ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)

16

Re: Fails to configure LDAP over TLS

*) Do you have correct SSL configuration in OpenLDAP config file?
*) How about use port 636 instead? it's LDAP over SSL, no plain connection allowed through this port.

17

Re: Fails to configure LDAP over TLS

ZhangHuangbin wrote:

*) Do you have correct SSL configuration in OpenLDAP config file?

Here is my SSL configuration in

/etc/ldap/slapd.conf
# TLS files.
TLSCACertificateFile /etc/ssl/certs/iRedMail_CA.pem
TLSCertificateFile /etc/ssl/certs/iRedMail_CA.pem
TLSCertificateKeyFile /etc/ssl/private/iRedMail.key

ZhangHuangbin wrote:

*) How about use port 636 instead? it's LDAP over SSL, no plain connection allowed through this port.

Access over port 636 seems not to work (but it is opened in the iptables):

ldapwhoami -H ldaps://example.com -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

18

Re: Fails to configure LDAP over TLS

Make sure you have OpenLDAP listening on port 636 in /etc/default/slapd like this:

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

The "ldaps:///" flag will ask OpenLDAP to listen on port 636 with SSL support.

Also, make sure you have proper firewall rules if you're trying to access from another machine.

19 (edited by alex42 2016-10-10 23:37:09)

Re: Fails to configure LDAP over TLS

I already had this setting and port 636 is open. Here are my results given by nmap:

Host is up (0.050s latency).
Not shown: 986 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
587/tcp  open  submission
636/tcp  open  ldapssl
993/tcp  open  imaps
995/tcp  open  pop3s
5222/tcp open  xmpp-client
5269/tcp open  xmpp-server
5280/tcp open  xmpp-bosh

But I can't connect via SSL/port 636. A ldapsearch with the -h option

 ldapsearch -h ldaps://example.com ....

gives me this error message:

Could not create LDAP session handle for URI=ldap://ldaps:%2F%2Fexample.com (-9): Bad parameter to an ldap routine

20 (edited by alex42 2016-10-10 23:54:11)

Re: Fails to configure LDAP over TLS

Ok, found a little error in my ldapsearch. It has to be:

ldapsearch -H "ldaps://example.com"

But still I can't connect. The server is asking for the password but then the connection failes with the following error message:

Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

21

Re: Fails to configure LDAP over TLS

Did you try the ldapsearch command on mail server or another server? If it's on mail server, try 'ldaps://127.0.0.1:636' as server address.

22 (edited by alex42 2016-10-10 23:53:07)

Re: Fails to configure LDAP over TLS

This doesn't work as well (before I've tried to connect from another server). Gives me the same error message.

23

Re: Fails to configure LDAP over TLS

OK, try ldapsearch with flag '-d 256', it will print debug message on console.

When i try it on (testing) mail server:

# ldapsearch -d 256 -x -H 'ldaps://127.0.0.1:636' -D 'cn=manager,dc=xx,dc=xx' -w'my_passwd' -b 'o=domains,dc=xx,dc=xx'
TLS: hostname (127.0.0.1) does not match common name in certificate (d8.iredmail.org).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

So i replace '127.0.0.1' by the server hostname ('ldaps://d8.iredmail.org:636'), and it works:

# ldapsearch -d 256 -x -H 'ldaps://d8.iredmail.org:636' -D 'cn=manager,dc=xx,dc=xx' -w'my_passwd' -b 'o=domains,dc=xx,dc=xx'

24

Re: Fails to configure LDAP over TLS

This is working on my mail server! But it doesn't work on another server. Here I still get the following error message (using -d 256):

TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

25

Re: Fails to configure LDAP over TLS

Try '-d -1' instead of '-d 256'. Maybe it will show some one useful debug log.