emqx / emqx-auth-ldap

EMQX LDAP Authentication Plugin
https://www.emqx.io
Apache License 2.0
7 stars 15 forks source link

Feature Request: Allow STARTTLS and SSL secured authentication #124

Open kevin-olbrich opened 3 years ago

kevin-olbrich commented 3 years ago

EMQX allows to use plain-text (unsecured) as well as certificate based binds. Binding using STARTTLS on port 389 as well as SSL on 636 failes but are the most used combinations.

kevin-olbrich commented 3 years ago

Workaround using Debian 10 Buster:

Set ldap server to 127.0.0.1 with port 389 and ssl off.

Shell:

# apt install stunnel4

# vim /etc/stunnel/ldap.conf

client = yes
[389]
accept = localhost:389
connect = ldap.example.com:636

# systemctl restart stunnel4.service

This example only works with LDAP using TLS (mostly called SSL) socket and not using STARTTLS. Traffic is handled on localhost by stunnel service and only leaves the node encrypted.