ldap + tls not working

thctlo

https://kifarunix.com/setup-openldap-server-with-ssl-tls-on-debian-10/
even its debian, goto the the section : Configure OpenLDAP with SSL/TLS
nicely explained there.

paulo ricardo

@thctlo

Hi

My ldap+tls is working nicely.

Problem occurs when I set startls at ldap.cfg…80)

If I disable TLA at ldap and kopano all works.

If aI enable TLS at openldap openldap works nicely. but not with kopano… 8( ( even If I let starttls = yes at ldap.cfg)

thctlo

@paulo-ricardo and you tried this.

/etc/kopano/ldap.cfg
ldap_uri = ldap://kopano.contatogs.com.br:389 ldaps://kopano.contatogs.com.br:636

on this one, not sure if you need space or , for separtion there.

And did you setup the rights on the certs to the kopano user can read these?

something like this:

apt-get install ssl-cert
sudo usermod -a -G ssl-cert kopano

per example.

sudo ls -l /etc/ssl/private
-r--r----- 1 root    ssl-cert 2766 Dec 12 13:06 www.example.org_ca.pem
-r--r----- 1 root    ssl-cert 1671 Dec 12 13:06 www.example.org.crt
-r--r----- 1 root    ssl-cert 1070 Dec 12 13:06 www.example.org.csr
-r--r----- 1 root    ssl-cert 6268 Dec 12 13:06 www.example.org_intermediate.pem
-r--r----- 1 root    ssl-cert 1675 Dec 12 13:06 www.example.org.key
-r--r----- 1 root    ssl-cert 3502 Dec 12 13:06 www.example.org.pem

paulo ricardo

@thctlo

Hi thanks for helping

humm

ldapsearch -xLLLZZ work like a charm.
I remove ldap://kopano.com.br:636 fom ldap.conf.

Change for test kopano to /bin/bash and it can read /etc/ssl/contatogs.com.br/cacert.pem

changing /etc/kopano/ldap.cfg to starttls = yes

kopano-admin -lvvvvvvvvvvvvvvvvvvv
[debug ] Initializing provider “Kopano Directory Service”
[debug ] Initializing provider “Private Folders”
[debug ] Initializing provider “Public Folders”
Unable to list users: “object” not found
Using the -v option (possibly multiple times) may give more hints.

logs

May 19 16:18:32 kopano kopano-server[5242]: Failed to enable TLS on LDAP session: Connect error

certanly is something related to tls.

Are you using kopano + debian + deb packages ou you are using tar.gz from kopano?

paulo ricardo

@paulo-ricardo
And yes another modifications that I insert at aldap:
olcSecurity: ssf=1 update_ssf=112 simple_bind=64

paulo ricardo

@paulo-ricardo

Is there another way to debug this error? I tried see at ldap.log but nothing appears 8(

fbartels

Hi @paulo-ricardo,

@paulo-ricardo said in ldap + tls not working:

Using: 8.7.0-7ubuntu1
ubuntu 20.04

first of all I cannot really recommend using the packages that are delivered as part of the Debian/Ubuntu repositories as they are quite old and several newer versions with bug fixes have been released since then. Instead I would recommend to request a trial key and retest with the current version of Kopano One.

Looking over the post I don’t see something obviously wrong (apart from one time using ldap:// with the ssl port of your ldap server). One thing that you could look into is raising the log level of kopano-server for the user plugin (check the diagnostics section in the kopano-server man page).

paulo ricardo

@fbartels

Hi Felix

I’ll try Kopano One and I’ll post results after that.

thanks in advanced

paulo ricardo

@paulo-ricardo

Hi Felix

Unfortunatelly I’ll be not possible test kopano-one. I started to install it and it requires that I uninstall mysql-server and apache2…8((( but this 2 are required for all my other applications…8(…

As I am a advanced user can I try kopano groupware? Or it will be a waste of time?

I have been using zimbra , but as they change and as they will not provide packages for ubuntu I am looking for other solutions. Kopano promisses…80)

best regards

paulo ricardo

@paulo-ricardo

Hi

Tested using debian10

Not working with TLS…8(

kopano-server 8.7.0

root@kopano:~# ldapsearch -xLLLZZ |wc -l
245
It show that TLS is working…80)

olcTLSCACertificateFile: /etc/ldap/sasl2/cacert.pem
olcTLSCertificateFile: /etc/ldap/sasl2/kopano.contatogs.com.br.crt.pem
olcTLSCertificateKeyFile: /etc/ldap/sasl2/kopano.contatogs.com.br.key.pem
olcTLSVerifyClient: never
olcSecurity: ssf=1 update_ssf=112 simple_bind=64

any ideas?

best regards

fbartels

Hi @paulo-ricardo,

@paulo-ricardo said in ldap + tls not working:

Unfortunatelly I’ll be not possible test kopano-one. I started to install it and it requires that I uninstall mysql-server and apache2…8((( but this 2 are required for all my other applications

I am not sure if having other applications running on the same server is within the supported scenarios of Kopano One.

@paulo-ricardo said in ldap + tls not working:

As I am a advanced user can I try kopano groupware? Or it will be a waste of time?

Sure, you could also do a manual installation, afaik the license file should also give you access to the supported build repositories located at https://download.kopano.io/supported. If that is not the case I would recommend replying to one of the demo followup emails to receive an alternative evaluation key.