1 Topic by alex42 (edited by alex42 2019-06-28 05:15:19)

  • alex42
  • Member
  • Offline
  • Registered: 2013-08-26
  • Posts: 145

Topic: Force STARTTLS LDAP Connection

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I would like to use the LDAP configured by IRedMail on another server. I've managed to use the certificates of LetsEncrypt. I would like to force the LDAP to only allow binds using STARTTLS. But I can't use ldapmodify as I would like to.  For example on this site they described to create an ldif like this one:

dn: olcDatabase={0}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

If I try to apply theses changes by typing the follwing:

ldapmodify -x -D cn=Manager,dc=example,dc=com -W -a -f forcetls.ldif

I get the following message:

modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Insufficient access (50)

How can I edit this file? Or is there another way to enforce encryption with STARTTLS to the LDAP?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by alex42

  • alex42
  • Member
  • Offline
  • Registered: 2013-08-26
  • Posts: 145

Re: Force STARTTLS LDAP Connection

Found a solution on this site:

If you want to enforce STARTTLS encryption you have to add this to /etc/ldap/slapd.conf:

security tls=1

And to restart the ldap. Sadly it is no longer possible to login in Roundcube for example. What do I have to change to make the login possible again, even with activated and enforced STARTTLS-Encryption?