Topic: Using TLS for LDAP on port 389


I have a question regarding LDAP with TLS - i need to open up port 389 in order to allow a postgres server to perform authentication for access to its databases. The progress version used is able to start TLS on port 389. Although only a very limited number of servers is allowed to connect to 389, i still need to enforce that only a connection with TLS is supported. This was achieved through setting 'security tls=1' in slapd.conf.

However, Once i restart the server, my mail clients start to fail, as they cannot connect. i looked at some postfix files to see if the ldap commands used would clarify things. I found (as an example) the following in file /etc/postfix/ldap/transport_maps_user.cf:

server_host     =
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = cn=vmail,dc=xxxx,dc=yyyy
bind_pw         = <password>
search_base     = ou=Users,domainName=%d,o=domains,dc=xxxx,dc=yyyy
scope           = one
query_filter    = (&(objectClass=mailUser)(mail=%s)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail))
result_attribute= mtaTransport
debuglevel      = 0

So the question is - can i simply set 'start_tls = yes', and that should fix it? are there other setting(s) that need to be corrected? if needed i could switch to ldaps on port 636, but it seems that this is considered 'deprecated' and use of TLS on 389 is regarded to be the better solution.

Can you give some help here ?

Fabien H. Dumay

- iRedMail version (check /etc/iredmail-release): 0.9.7 OPENLDAP edition.
- Deployed downloadable installer?
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No

2 (edited by swejun 2019-03-13 18:06:05)

Re: Using TLS for LDAP on port 389

The question is a bit old, but if you havnt figured it out yet, here are some hints.

1) you could perhaps force your postgres server to use LDAPS (port 636), and then just open port 636 in the firewall?
2) or, you have to configure everything in the iRedMail server to use LDAPS (636) or StartTLS over 389.
There are a number of places to conifgure.... (I've done it myself, so i know that it works)

a)in /etc/postfix/ldap  : I added start_tls = yes in all of the "cf" file.  Remember to rebuild all the hash files using postmap <filename>
b) in /etc/dovecot/dovecot-ldap.conf , set "tls = yes "
c) in the <roundcubeDir> config/config.inc.php, add 'use_tls' => true, under the "//Global LDAP addressbook." section
d) in /etc/sogo/sogo.conf,  under the section "// Authentication using LDAP" the "hostname" statement should be changed from hostname = "ldap://";  to ldap://!StartTLS";
e) The same file, under the // Used for global address book section
f) in /opt/iredapd/settings.py.  I have configured ldap_uri = "ldap://" (don't know if it is posible to use startTLS on 389 though)
g) /opt/www/iredadmin/settings.py (or /var/www/iredadmin/settings.py) set   ldap_uri = ldaps://  accoring to the help text it means StartTLS on 389

Maybe I missed som config file, but try it out....:-)