Hi Jim, Would it be possible to share your imapd configuration? I’m wondering if you have any configuration line specifying the certificate and ca trust for ldap comms (client cert and key) and trusting the issuing of the server cert?
Just reading the doc, at least in 2.5 release notes the following changes appear to have been made. Just wondering if it isn’t attempting secure negotiation due to not finding or being able to read certs (that I suspect are necessary)? Just a stab in the dark. Option Name Changes for ldap_tls_* Configuration option names for LDAP SSL/TLS configuration in imapd.conf(5) have been changed: ldap_ca_dir (was: ldap_tls_cacert_dir) ldap_ca_file (was: ldap_tls_cacert_file) ldap_client_cert (was: ldap_tls_cert) ldap_verify_peer (was: ldap_tls_check_peer) ldap_ciphers (was: ldap_tls_ciphers) ldap_client_key (was: ldap_tls_key) Regards Sent from my iPhone > On 19/06/2021, at 04:07, [email protected] wrote: > > > Enabling TLS was not as straightforward as I'd hoped. > > If I use ldaps://...:636 > ptload does not appear to even attempt to negotiate TLS connection ne simply > reports that a simple bind failed. > > If I use ldap://...:389 and enable ldap_start_tls: 1 > ptload sends LDAP_START_TLS_OID > The server responds with LDAP_START_TLS_OID > The client then sends something in SSL and the process times out. > > If I use ldapsearch with the ldaps://...:636 and the same bind credentials, > it issues a client Hello the server responds with server hello and they > negotiate a TLS1.2 connection and data is passed. > > If I use ldapsearch with the ldap://...:389, -ZZ and the same bind > credentials > ldapsearch sends LDAP_START_TLS_OID > The server responds with LDAP_START_TLS_OID > ldapsearch then sends client hello, servers responds and offer certificates > and TLS1.2 connection is negotiated and data is passed. > > Is there something messed up in ptload so it isn't sending a client hello to > start a TLS session? I don't see anything in the imap.conf options that would > affect this, I have set the path to the CA cert for the LDAP server so it > will be happy once it gets the certificate, but it isn't even asking for the > certificate. > > Did I miss something at compile time that is needed to get ptload built with > SSL support? Cyrus-imapd has it OK, it offers starttls to the client (e.g. > imtest) and negotiates its fine, but ptloader doesn't seem to know about > starting a TLS session. > > My imap server and my LDAP server are both on the same LAN so TLS between > them is not critical right now, but I think microsoft will look to enforce > encrypted LDAP lookups on AD DCs in the future so it would be best to get it > working now if possible. > > Regards > Jim > Cyrus / Info / see discussions + participants + delivery options Permalink ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-Mbcff995bb27cdf8e6b6803d5 Delivery options: https://cyrus.topicbox.com/groups/info/subscription
