1 Topic by tavi

  • tavi
  • Member
  • Offline
  • Registered: 2010-09-28
  • Posts: 10

Topic: iredapd & iredadmin - ldap tls support

Dear ZhangHuangbin,

We are using a customed version of a mail infrastructure based on iredmail. We are keeping the ldap server on a different server then the mail server.

We've noticed that iredapd and iredadmin are not starting a tls connection when the ldap server url is set to start with ldaps://.

Using ldaps:// to set TLS options doesn't work because I think it tries a ssl connection automatically. In order to start the tls connection we've added the start_tls_s() function (conn.start_tls_s()) right after ldap.initialize(). Now, when using ldap://, the tls connection is started and data is secured. Setting options like OPT_X_TLS_REQUIRE_CERT, OPT_X_TLS, OPT_X_TLS_DEMAND doesn't seem to have any influence.

I hope this will help you modify your applications to support tls.

Thank you,

Tavi

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: iredapd & iredadmin - ldap tls support

Uses 'ldaps://x.x.x.x' will perform STARTTLS connection with port 389, not TLS.

Some questions:
- Are you force to connect through TLS or depends on server setting (ldap://, ldaps://, ldaps://x.x.x.x:636)?
- Could you share the diff/patch of your modification? it will be easier for me to test and merge it.

Also, May i know what other features you achieved by modifying iRedAdmin-Pro source code?
Personally, i believe what customers need is an API (or let's say, hook, or plugin) to achieve addition features, not modifying source code.