26

Re: Fails to configure LDAP over TLS

I think the relevant part of the output is this:

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

How can I make him trust the certificate?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

27

Re: Fails to configure LDAP over TLS

This works for me:

*) Use a valid SSL cert/key/ca in slapd.conf:

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/certfile.crt
TLSCertificateKeyFile /etc/pki/tls/private/keyfile.key

About "valid", i mean a bought SSL cert or free cert from Lets Encrypt or other SSL vendor. I tested with a bought one.

*) Use correct CA file in /etc/openldap/ldap.conf (RHEL/CENTOS) or /etc/ldap/ldap.conf (DEBIAN/UBUNTU):

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

WARNING: it's "ldap.conf", not "slapd.conf".

*) Run your ldapsearch command again.

This way, run TLS and SSL work for me.

*) TLS: ldapsearch -Z -H 'ldap://<server_name>:389' ...
*) SSL: ldapsearch -H 'ldap://<server_name>:636' ...

28

Re: Fails to configure LDAP over TLS

Answering this question leads me to fix our document, it doesn't mention 'ldap.conf' at all. Fixed moment ago:
http://www.iredmail.org/docs/use.a.boug … l#openldap

Enjoy. smile

29

Re: Fails to configure LDAP over TLS

So it is a problem of the self signed certificates generated by iRedMail?

As mentioned before I wanted to use my certificates delivered by Letsencrypt but after I've added them to the slapd.conf LDAP failed to start. I will try it again tomorrow and tell you what error output I'm getting.

30

Re: Fails to configure LDAP over TLS

Try our tutorial:
http://www.iredmail.org/docs/use.a.boug … icate.html