Kolab-webadmin and ldaps

Emmanuel MICHEL emmanuel.michel at wanadoo.fr
Tue Jun 25 02:06:02 CEST 2013


Le 17/06/2013 09:51, Aleksander Machniak a écrit :
> This commit is needed to enable TLS using tls:// prefix in ldap_uri.
>
> http://git.kolab.org/kolab-wap/commit/?id=007150d02911a668b628f05c43dc4a1ca41f4204

Hi everyone,

Kolab-webadmin with TLS is finally OK on my Ubuntu 12.04 LTS test 
machine. So, for the record :

- My setup uses current development Ubuntu packages from official 
Kolabsys repository (kolab-webadmin 3.0.4-3)

- I applied the patch from Aleksander (see above) -> Thanks much!

- ldap_uri in /etc/kolab/kolab.conf is tls://localhost:389

- All of this means I'm finally using StartTLS (port 389) and not LDAPS 
(port 686) as the latter is deprecated for LDAP (thanks Paul for having 
pointed out this one, I found reference to this in 389-ds doc also).

- As admin-console is not working on Ubuntu, all the 389-ds setup for 
SSL/TLS has to be done using the command-line. Good page with complete 
instructions is available here: 
http://directory.fedoraproject.org/wiki/Howto:SSL

- If you want the LDAP server to force the client using encryption, make 
sure to set nsslapd-minssf to a non zero value:

dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 128

- I'm now looking for a way to stop 389-ds from listening on port 636.

- One thing which blocked me for days was related to PHP ldap_start_tls. 
At least on Ubuntu, make sure you have the following line in 
/etc/ldap/ldap.conf and restart apache after the change:

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

(assuming CA cert which issued your 389-ds cert is listed in this crt file)

Hope it'll help.

Bests,

EM




More information about the users mailing list