On Fri, Aug 17, 2012 at 12:21 AM, Shrinivasan T <[email protected]> wrote:
> I have a zimbra mail server.
>
> Recently I wanted to move to ldaps from ldap for higher security.
>
> Did the following steps to do this.
>
> zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636
> zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636
> zmlocalconfig -e ldap_starttls_supported=0
> zmlocalconfig -e ldap_port=636
> zmcontrol stop && zmcontrol start
I don't know what the above do but presuming it is all on the server side.
> wiki.zimbra.com/wiki/How_to_enable_ldaps
>
> But, after this, external ldap tools can not connect to the server.
>
> I can query the records within the server using ldapsearch.
Post the full command line here.
>
> If I do ldapsearch from external server, throwing following error.
Post the command line from an "external" server.
I believe you need to configure your ldap client to do TLS/SSL as well
and also use the -ZZ option on the CLI for StartTLS (man ldapsearch)
>
>
> ldapsearch -x -v -H 'ldaps://mail.domain.com/' -b
> 'ou=people,dc=domain,dc=com' -D
> 'uid=test1,ou=people,dc=domain,dc=com' -W -d -1
-ZZ is missing see above.
.... snip ....
> 0000: 01 .
> tls_read: want=5, got=5
> 0000: 16 03 01 00 30 ....0
> tls_read: want=48, got=48
> 0000: cf 15 d2 46 4b 19 cc 6c 12 35 fb aa 5b fe ef 8e ...FK..l.5..[...
> 0010: 2f 60 fe 49 26 4e 3e f8 15 06 f9 09 03 de 37 22 /`.I&N>.......7"
> 0020: f4 8e 5a 0f 29 fc ea 1a 46 d5 7b 07 3f 6a 87 36 ..Z.)...F.{.?j.6
> TLS: peer cert untrusted or revoked (0x42)
> TLS: can't connect: (unknown error code).
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Can you contact the LDAP server in text mode? i.e. telnet <ipNumber> 389
LIke so:
$ telnet sas-alix 389
Trying 172.16.0.1...
Connected to sas-alix.xxxxxx.xxxxxx.xxx
Escape character is '^]'.
>
> What is mean by the error?
> TLS: peer cert untrusted or revoked (0x42)
>
> In server side, in the file /etc/openldap/ldap.conf
I believe this is the conf file for the client. The server side conf
file is slapd.conf (man slapd.conf for TLS settings)
>
> I tried with both the settings.
>
> 1. TLS_REQCERT never
>
> 2. TLS_REQCERT allow
>
> But still, getting same error.
> Because of this, can not use the addressbook from any of the email
> clients I use.
Also suggest reading
<http://en.wikipedia.org/wiki/Transport_Layer_Security> if you have
not done so. It gives an overview of how TLS works.
--
Arun Khan
"As a layman, I would say we have it, but as a scientist I have to
say, 'What do we have?'"
Rolf Heuer, Director General CERN on the announcement of Higgs Boson particle.
_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
