Topic: Using TLS for LDAP on port 389
I have a question regarding LDAP with TLS - i need to open up port 389 in order to allow a postgres server to perform authentication for access to its databases. The progress version used is able to start TLS on port 389. Although only a very limited number of servers is allowed to connect to 389, i still need to enforce that only a connection with TLS is supported. This was achieved through setting 'security tls=1' in slapd.conf.
However, Once i restart the server, my mail clients start to fail, as they cannot connect. i looked at some postfix files to see if the ldap commands used would clarify things. I found (as an example) the following in file /etc/postfix/ldap/transport_maps_user.cf:
server_host = 127.0.0.1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = cn=vmail,dc=xxxx,dc=yyyy
bind_pw = <password>
search_base = ou=Users,domainName=%d,o=domains,dc=xxxx,dc=yyyy
scope = one
query_filter = (&(objectClass=mailUser)(mail=%s)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail))
debuglevel = 0
So the question is - can i simply set 'start_tls = yes', and that should fix it? are there other setting(s) that need to be corrected? if needed i could switch to ldaps on port 636, but it seems that this is considered 'deprecated' and use of TLS on 389 is regarded to be the better solution.
Can you give some help here ?
Fabien H. Dumay
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 OPENLDAP edition.
- Deployed downloadable installer?
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No