1

Topic: LDAP TLS Support

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable Installer
- Linux/BSD distribution name and version: Ubuntu 18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have been unable to set up TLS with openldap. I have traversed these forums and have tried numerous suggestions, but keep hitting walls and have been unable to find a clear step-by-step guide.

I am attempting to enable TLS over port 389 with open ldap. In slapd.conf, after uncommenting:

#TLSCACertificateFile /etc/ssl/certs/iRedMail.crt
#TLSCertificateFile /etc/ssl/certs/iRedMail.crt
#TLSCertificateKeyFile /etc/ssl/private/iRedMail.key

I would restart slapd service and it would fail with "main: tls init def ctx failed: -1"

Searching these forums indicated it was a permissions issue with app armor. (My certs are from LetsEncrypt)

After changing permissions on my cert files, slapd fails again, but with no provided explanation.

I would provide logs, but I have been unable to find any. Nothing is showing in syslog, openldap, slapd, etc.

Is there a guide anywhere?

Please help

Post's attachments

Screen Shot 2020-06-12 at 8.48.16 PM.png 237.66 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: LDAP TLS Support

1: Make sure OpenLDAP daemon user/group can read cert/key files (file permission).
2: Make sure the cert/key files are valid ssl cert.

3

Re: LDAP TLS Support

ZhangHuangbin wrote:

1: Make sure OpenLDAP daemon user/group can read cert/key files (file permission).
2: Make sure the cert/key files are valid ssl cert.

can you verify which permissions the user should have on the files? I gave ownership of the /etc/letsencrypt/* to openldap:openldap.

I changed the user that runs slapd to root root and everything works as expected, so it does seem to be a permissions issue.

4

Re: LDAP TLS Support

mrbrightside918 wrote:

can you verify which permissions the user should have on the files? I gave ownership of the /etc/letsencrypt/* to openldap:openldap.

This is not right.
Just give "other" with read permission to /etc/letsencrypt/live/ and /etc/letsencrypt/archive/.