LDAPS not working

[samuelheinrich]

ldap works fine ldaps does not work there seems to be an issue with the secure Ldap checkbox in the GUI. When adding a LDAP Server the checkbox for secure LDAP always resets to unchecked, after applying the setting.

tcpdump shows that port 389 is used.

but i was able to set the value in the mysql db.

mysql> select * from ldapServers; mysql> update ldapServers set adSecure = 1 where adSecure = 0;

that works, tcpdump shows that connection is now on port 636.

unfortunately, i get an authentication error.

I doublecheck with "ldapsearch" that the ldap server accessable via ldaps, this only works with the option "LDAPTLS_REQCERT=never", as i did not install the server certs. (and i prefer not to)

I assume that ipsk manager fails to authenticate agains ldaps because it also lacks the server certificates.

I tried to modify the BaseLDAPClass.php, so that it ignores any certificates:

ldap_set_option($ldapConnection, LDAP_OPT_DEBUG_LEVEL, 7); ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT,0);

(or LDAP_OPT_X_TLS_ALLOW )

unfortunately this does not work either.

i don't see any options in the GUI to import certs.

any updates on this?

[samuelheinrich]

update: ldaps is now working.

i modified /etc/ldap.conf as follow:

TLS certificates (needed for GnuTLS)

TLS_CACERT /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT never

[cisco-garyoppel]

Thank you for posting the details of the issue.

That is correct, the Root and any Intermediate CA servers would need to be installed in the Servers's CA Trusted Certificate store.

At a minimum, the LDAP configuration page will be updated to provide information into enabling this feature.

[cisco-garyoppel]

Fixed Secure LDAP Functionality & Added notation on Requirements that the LDAP's Server Certificate and/or Root CA must be trusted by the server hosting iPSK-Manager.