On Fri, Aug 24, 2012 at 7:16 PM, Shrinivasan T >>> >>> zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636 >>> zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636 >>> zmlocalconfig -e ldap_starttls_supported=0 >>> zmlocalconfig -e ldap_port=636 >>> zmcontrol stop && zmcontrol start >> >> I don't know what the above do but presuming it is all on the server side. > > I did this on the zimbra server to enable ldaps. > > followed the link http://wiki.zimbra.com/wiki/How_to_enable_ldaps
Great - it helps but gut feeling tells me that it does not have the full story. > >>> ldapsearch -x -v -H 'ldaps://mail.domain.com/' -b >>> 'ou=people,dc=domain,dc=com' -D >>> 'uid=test1,ou=people,dc=domain,dc=com' -W -d -1 > > If I run the above command within the zimbra server, it works well. > i.e it gives all the entries in the ldap server. > > If I run the same command from any other machine aka my laptop, > It ends with an error. > > TLS: peer cert untrusted or revoked (0x42) > TLS: can't connect: (unknown error code). > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > >> -ZZ is missing see above. > > adding -ZZ gives the same error. > >> Can you contact the LDAP server in text mode? i.e. telnet <ipNumber> 389 > > >> LIke so: >> >> $ telnet sas-alix 389 >> Trying 172.16.0.1... >> Connected to sas-alix.xxxxxx.xxxxxx.xxx >> Escape character is '^]'. > > I can connect it via telnet > > telnet <ipNumber> 636 > > gives the same output as above. > >>> What is mean by the error? >>> TLS: peer cert untrusted or revoked (0x42) >>> To the best of my knowledge (openldap mailing list), port 636 although supported, the recommendation is to use port 389 with StartTLS; rather than having two ports open. <http://www.openldap.org/faq/data/cache/185.html> What does "nmap -PN <your zimbra server>" show? The ldapsearch command, from the "foreign" system, may be defaulting to port 389. Try -p 636 to specify the port. Also, I believe this foreign machine has to know about the CA that has issued the cert. being used by Zimbra. The client is complaining about untrusted cert. Listed at the end are the search strings I used. Searches throw quite a few links on this problem. >>> In server side, in the file /etc/openldap/ldap.conf > > >> I believe this is the conf file for the client. The server side conf >> file is slapd.conf (man slapd.conf for TLS settings) > > /etc/openldap/ldap.conf is for server side only. > > Can not find the file slapd.conf in my zimbra server. What is your base OS? Again, to the best of my knowledge slapd.conf is the server side config. in openldap. In Ubuntu 10.04: pkg name is slapd version 2.4.21 . Try 'find /etc -iname slapd.conf' and see if anything surfaces. If /etc/openldap/ldap.conf is the only file, then the Zimbra team has modified config files for openldap; I would suggest search and/or post to the Zimbra forums/lists. Alternately, you can configure openldap package from the base OS and tell Zimbra to use it as the LDAP server. <http://wiki.zimbra.com/wiki/LDAP_Authentication> [1] Search string "TLS: peer cert untrusted or revoked (0x42)" [2] Search string "openldap use of port 636" <posting etiquette> Do not obliterate the attribution of who wrote what when you are quoting. For example: In this quote (my posting) On Fri, Aug 24, 2012 at 7:16 PM, Shrinivasan T wrote: >>> >>> zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636 >>> zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636 >>> zmlocalconfig -e ldap_starttls_supported=0 >>> zmlocalconfig -e ldap_port=636 >>> zmcontrol stop && zmcontrol start It is apparent from the three ">" that the quote is coming from an older posting but you have edited the From: attribution in your quoting so now it looks like you wrote the stuff of 24/Aug/2012. </posting etiquette> -- Arun Khan _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
