ldap + tls not working
-
Hi
Using: 8.7.0-7ubuntu1
ubuntu 20.04If I use TLS at ldap.cfg I see at logs:
May 19 10:15:52 kopano kopano-server[3112]: Failed to enable TLS on LDAP session: Connect errorbut using a ldapsearch -xLLLZZ works
I tried not use tls and kopano-admin -l works…
Problem appeass when I set starttls = yes at ldap.cfg…
/etc/kopano/server.cfg
user_plugin = ldap
user_plugin_config = /etc/kopano/ldap.cfg/etc/kopano/ldap.cfg
!include /usr/share/kopano/ldap.openldap.cfg
ldap_uri = ldap://kopano.contatogs.com.br
ldap_server_charset = utf-8
ldap_starttls = yes
ldap_bind_user = cn=admin,dc=contatogs,dc=com,dc=br
ldap_bind_passwd = xxxxxx
ldap_search_base = dc=contatogs,dc=com,dc=br/etc/ldap/ldap.conf
BASE dc=contatogs,dc=com,dc=br
URI ldap://kopano.contatogs.com.br
SIZELIMIT 0
TIMELIMIT 0
TLS_REQCERT demand
TLS_CACERT /etc/ssl/contatogs.com.br/cacert.pemAny ideas how can I solve this?
best regards
-
https://kifarunix.com/setup-openldap-server-with-ssl-tls-on-debian-10/
even its debian, goto the the section : Configure OpenLDAP with SSL/TLS
nicely explained there. -
Hi
My ldap+tls is working nicely.
Problem occurs when I set startls at ldap.cfg…80)
If I disable TLA at ldap and kopano all works.
If aI enable TLS at openldap openldap works nicely. but not with kopano… 8( ( even If I let starttls = yes at ldap.cfg)
-
@paulo-ricardo and you tried this.
/etc/kopano/ldap.cfg ldap_uri = ldap://kopano.contatogs.com.br:389 ldaps://kopano.contatogs.com.br:636on this one, not sure if you need space or , for separtion there.
And did you setup the rights on the certs to the kopano user can read these?
something like this:
apt-get install ssl-cert sudo usermod -a -G ssl-cert kopanoper example.
sudo ls -l /etc/ssl/private -r--r----- 1 root ssl-cert 2766 Dec 12 13:06 www.example.org_ca.pem -r--r----- 1 root ssl-cert 1671 Dec 12 13:06 www.example.org.crt -r--r----- 1 root ssl-cert 1070 Dec 12 13:06 www.example.org.csr -r--r----- 1 root ssl-cert 6268 Dec 12 13:06 www.example.org_intermediate.pem -r--r----- 1 root ssl-cert 1675 Dec 12 13:06 www.example.org.key -r--r----- 1 root ssl-cert 3502 Dec 12 13:06 www.example.org.pem -
Hi thanks for helping
humm
ldapsearch -xLLLZZ work like a charm.
I remove ldap://kopano.com.br:636 fom ldap.conf.Change for test kopano to /bin/bash and it can read /etc/ssl/contatogs.com.br/cacert.pem
changing /etc/kopano/ldap.cfg to starttls = yes
kopano-admin -lvvvvvvvvvvvvvvvvvvv
[debug ] Initializing provider “Kopano Directory Service”
[debug ] Initializing provider “Private Folders”
[debug ] Initializing provider “Public Folders”
Unable to list users: “object” not found
Using the -v option (possibly multiple times) may give more hints.logs
May 19 16:18:32 kopano kopano-server[5242]: Failed to enable TLS on LDAP session: Connect error
certanly is something related to tls.
Are you using kopano + debian + deb packages ou you are using tar.gz from kopano?
-
@paulo-ricardo
And yes another modifications that I insert at aldap:
olcSecurity: ssf=1 update_ssf=112 simple_bind=64 -
Is there another way to debug this error? I tried see at ldap.log but nothing appears 8(
-
Hi @paulo-ricardo,
@paulo-ricardo said in ldap + tls not working:
Using: 8.7.0-7ubuntu1
ubuntu 20.04first of all I cannot really recommend using the packages that are delivered as part of the Debian/Ubuntu repositories as they are quite old and several newer versions with bug fixes have been released since then. Instead I would recommend to request a trial key and retest with the current version of Kopano One.
Looking over the post I don’t see something obviously wrong (apart from one time using
ldap://with the ssl port of your ldap server). One thing that you could look into is raising the log level of kopano-server for the user plugin (check the diagnostics section in the kopano-server man page).Regards Felix
Resources:
https://kopano.com/blog/how-to-get-kopano/
https://documentation.kopano.io/
https://kb.kopano.io/Support overview:
https://kopano.com/support/ -
-
Hi Felix
Unfortunatelly I’ll be not possible test kopano-one. I started to install it and it requires that I uninstall mysql-server and apache2…8((( but this 2 are required for all my other applications…8(…
As I am a advanced user can I try kopano groupware? Or it will be a waste of time?
I have been using zimbra , but as they change and as they will not provide packages for ubuntu I am looking for other solutions. Kopano promisses…80)
best regards
-
Hi
Tested using debian10
Not working with TLS…8(
kopano-server 8.7.0
root@kopano:~# ldapsearch -xLLLZZ |wc -l
245
It show that TLS is working…80)olcTLSCACertificateFile: /etc/ldap/sasl2/cacert.pem
olcTLSCertificateFile: /etc/ldap/sasl2/kopano.contatogs.com.br.crt.pem
olcTLSCertificateKeyFile: /etc/ldap/sasl2/kopano.contatogs.com.br.key.pem
olcTLSVerifyClient: never
olcSecurity: ssf=1 update_ssf=112 simple_bind=64any ideas?
best regards
-
Hi @paulo-ricardo,
@paulo-ricardo said in ldap + tls not working:
Unfortunatelly I’ll be not possible test kopano-one. I started to install it and it requires that I uninstall mysql-server and apache2…8((( but this 2 are required for all my other applications
I am not sure if having other applications running on the same server is within the supported scenarios of Kopano One.
@paulo-ricardo said in ldap + tls not working:
As I am a advanced user can I try kopano groupware? Or it will be a waste of time?
Sure, you could also do a manual installation, afaik the license file should also give you access to the supported build repositories located at https://download.kopano.io/supported. If that is not the case I would recommend replying to one of the demo followup emails to receive an alternative evaluation key.
