1

Topic: Does anyone have a working LDAPS?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2 OPENLDAP edition
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: CentOS 8 Stream
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP (symas-openldap)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi. Does anyone have a working LDAPS? I have trouble, slapd not started.
(On old CentOS 6 server I have working ldaps://test6.sea.cz:636/)

systemctl restart slapd
Job for slapd.service failed because the control process exited with error code.
See "systemctl status slapd.service" and "journalctl -xe" for details.

/var/log/openldap/openldap.log - nothing usefull:
...
Mar  5 14:34:22 test8 slapd[52121]: main: TLS init def ctx failed: -1
Mar  5 14:34:22 test8 slapd[52121]: slapd destroy: freeing system resources.
Mar  5 14:34:22 test8 slapd[52121]: slapd stopped.
Mar  5 14:34:22 test8 slapd[52121]: connections_destroy: nothing to destroy.
...

/etc/systemd/system/slapd.service.d/override.conf
ExecStart=/usr/sbin/slapd -u ldap -h "ldapi:/// ldap://127.0.0.1:389/ ldap://test8.sea.cz:389/ ldaps://127.0.0.1:636/ ldaps://test8.sea.cz:636/" -f /etc/openldap/slapd.conf

/etc/openldap/slapd.conf
...
# SSL cert files. if no need to access OpenLDAP from another host, it's ok to
# disable TLS/SSL support.
TLSCACertificateFile /etc/pki/tls/certs/iRedMail.crt
TLSCertificateFile /etc/pki/tls/certs/iRedMail.crt
TLSCertificateKeyFile /etc/pki/tls/private/iRedMail.key
...
loglevel    -1
...

iRedMail.crt and iRedMail.key
default selfsigned or Let's Encrypt (working with nginx)

I use for first test:
openssl s_client -connect test8.sea.cz:636

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Does anyone have a working LDAPS?

Oh boy! Key is not readable for user ldap. Six hours of work fucked!

ls -l /etc/pki/tls/private
-rw-------  1 root root 1708 2021-03-01 22:43 iRedMail.key