Scalix Forums

Hello,

I am attempting to tunnel ldap over SSL using stunnel, (imap/pop/smtp already working using stunnel) so the company directory can be safely accessed from outside our network as well as inside.

So i added the lines to the /etc/stunnel/stunnel.conf to enable ldaps, like so:

[ldaps]
accept = 636
connect = 389

Restarted stunnel daemon and tested connecting, i cannot connect to the ldap directory over the ldaps port 636, although i see the stunnel listening connection on port 636.

Debug logging of stunnel indicates the following error associated with the attempt:

2005.04.28 12:15:05 LOG5[27926:1076812720]: ldaps connected from 71.4.124.200:43012
2005.04.28 12:15:05 LOG7[27926:1076812720]: SSL state (accept): before/accept initialization
2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: FD=14, DIR=read
2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: ok
2005.04.28 12:15:05 LOG3[27926:1076812720]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2005.04.28 12:15:05 LOG7[27926:1076812720]: ldaps finished (6 left)

I think what this indicating is that the connection is accepted by stunnel, but when it tries to hand off to the ldap server process, omslapd, the ldap server is stating it doesn't understand the SSL protocol.

Can you tell me if the ldap server compiled into the Scalix server supports ssl? If not, can it be made to do so without breaking Scalix?

Just in case your interested the version of openssl, is: openssl-0.9.7d-15.13

Thanks,

This is one case where stunnel can't help.

LDAP over SSL is really TLS which means it is negotiated in the protocol rather than when establishing the socket connection.

The Scalix LDAP server does not provide native SSL or TLS support so, when stunnel passes the connection to Scalix, our LDAP server doesn't handle the TLS request.

In the case of something like SMTPS, stunnel is providing the TLS negotiation on our behalf because stunnel understands the SMTP protocol. Unfortunately, there is no LDAP TLS in stunnel either.

A ssh port forward might help in this case but it will need to be installed on each client machine.

Cheers

Dave

Hello Dave,

Thanks for the reply,

I am somewhat confused about it though. Stunnel does seem to support the ldaps according to it's documentation and other people seem to be able to make Stunnel work with ldap. Is it because TLS support is just not being complied in the scalix ldap package?

Is it possible to configure the Scalix ldap service directly to provide the directory over ssl? I know the answer is probably no, but when i do the command "ldd command on the omslapd binary, i am seeing the binary link to the ssl library, like so:

msp1intmx01:~ # ldd /opt/scalix/bin/omslapd | grep ssl
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x403b6000)

Can you clarify?

Thanks,

Can you tell me how you are testing this ?

I may have been a little hasty in my response to you. I have done some
more investigation and can get stunnel working with LDAP.

I tested this with Thunderbird and also with the ldapsearch command line.

There is no extra configuration for stunnel other than to add the
636->389 mapping.

For ldapsearch, you need to add the directive:

TLS_CACERTDIR /usr/share/ssl/certs

to /etc/openldap/ldap.conf.

For Thunderbird, I configured the port as 636 and also ensured that the
SSL option is checked.

Can you tell me if this is what you have done ?

Cheers

Dave

It sounds as though i did exactly what you did, i added the appropriate lines to the stunnel.conf file like:

[ldaps]
connect = 389
accept = 636

And i can do an "lsof -i tcp:636" and see the stunnel daemon listening, but none of the ssl enabled email clients we have are able to connect using ssl.

The clients i have tried with, are mac OSX mail, Novell Evolution, and Outlook 2003. With all these clients i am checking the "use ssl" and ensuring that it's connecting on port 636.

After eventually getting a authentication failure message, i check the stunnel log and that's when i see the ldaps error about protocol unknown, here is the exerpt again:

2005.04.28 12:15:05 LOG5[27926:1076812720]: ldaps connected from
71.4.124.200:43012
2005.04.28 12:15:05 LOG7[27926:1076812720]: SSL state (accept):
before/accept initialization
2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: FD=14,
DIR=read
2005.04.28 12:15:05 LOG7[27926:1076812720]: waitforsocket: ok
2005.04.28 12:15:05 LOG3[27926:1076812720]: SSL_accept: 0760FC:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2005.04.28 12:15:05 LOG7[27926:1076812720]: ldaps finished (6 left)

I think that about does it, is there something specific i am missing that would help determine why yours works and mine does not?

Thanks,

Hi Guys,
Did you get to the bottom of this in the end as I'd like to setup exactly the same requirement for my users. Additionally is it possible to lock down the ldap process so that you need to authenticate to query it?

Thanks in Advance

George