Kolab-webadmin and ldaps
Emmanuel MICHEL
emmanuel.michel at wanadoo.fr
Tue Jun 25 02:06:02 CEST 2013
Le 17/06/2013 09:51, Aleksander Machniak a écrit :
> This commit is needed to enable TLS using tls:// prefix in ldap_uri.
>
> http://git.kolab.org/kolab-wap/commit/?id=007150d02911a668b628f05c43dc4a1ca41f4204
Hi everyone,
Kolab-webadmin with TLS is finally OK on my Ubuntu 12.04 LTS test
machine. So, for the record :
- My setup uses current development Ubuntu packages from official
Kolabsys repository (kolab-webadmin 3.0.4-3)
- I applied the patch from Aleksander (see above) -> Thanks much!
- ldap_uri in /etc/kolab/kolab.conf is tls://localhost:389
- All of this means I'm finally using StartTLS (port 389) and not LDAPS
(port 686) as the latter is deprecated for LDAP (thanks Paul for having
pointed out this one, I found reference to this in 389-ds doc also).
- As admin-console is not working on Ubuntu, all the 389-ds setup for
SSL/TLS has to be done using the command-line. Good page with complete
instructions is available here:
http://directory.fedoraproject.org/wiki/Howto:SSL
- If you want the LDAP server to force the client using encryption, make
sure to set nsslapd-minssf to a non zero value:
dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 128
- I'm now looking for a way to stop 389-ds from listening on port 636.
- One thing which blocked me for days was related to PHP ldap_start_tls.
At least on Ubuntu, make sure you have the following line in
/etc/ldap/ldap.conf and restart apache after the change:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
(assuming CA cert which issued your 389-ds cert is listed in this crt file)
Hope it'll help.
Bests,
EM
More information about the users
mailing list