Kolab webadmin connect to LDAPS server
Open, 60Public

Description

I was not able to make Kolab WAP work with LDAPS. Finally I got it working with the following setup:
kolab.conf

[ldap]
ldap_uri = ldaps://pao1.it.fsi.io

and modifying lib/Auth/LDAP.php file:

--- lib/Auth/LDAP.php.orig      2017-05-15 09:29:35.280000000 +0000
+++ lib/Auth/LDAP.php   2017-05-15 09:28:41.629000000 +0000
@@ -104,7 +104,7 @@ class LDAP extends Net_LDAP3 {
             }
         }
 
-        $this->config_set("host", $this->_ldap_server);
+        $this->config_set("host", $this->_ldap_uri);
         $this->config_set("port", $this->_ldap_port);
         $this->config_set("use_tls", $this->_ldap_scheme == 'tls');

It looks like PHP expects $scheme://$ldap_server in ldap_connect($host, $port) $host part.

Details

Ticket Type
Task
machniak closed this task as Resolved.May 15 2017, 12:32 PM
machniak claimed this task.
machniak added a subscriber: machniak.

Fixed in 1b605db5f721f.

adomaitis reopened this task as Open.May 19 2017, 3:42 PM

This could be more complicated than that. Unfortunately don't have enough time to investigate it deeper, but the above patch may influence how ldapsearch command is being issued by WAP. With the following patch I can login to WAP , but navigating inside WAP is inconsitent - sometimes shows user, sometimes not.

[19-May-2017 05:49:45 -0700](5t6r5rso35flk0urutm681uh35): [INFO] (api) Vendor name is 389 Project
[19-May-2017 05:49:45 -0700](5t6r5rso35flk0urutm681uh35): [DEBUG] (api) LDAP: Executing command: /usr/lib64/mozldap/ldapsearch -x -h ldaps://ldap.server:636 -p 636 -b 'ou=People,dc=domain,dc=tld' -s base -D 'cn=Directory Manager' -w * -J '1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager' "(objectclass=*)" "*"
[19-May-2017 05:49:45 -0700](5t6r5rso35flk0urutm681uh35): [DEBUG] (api) LDAP: Command output:array (
)
[19-May-2017 05:49:45 -0700](5t6r5rso35flk0urutm681uh35): [DEBUG] (api) Return code: 91

This ldapsearch command doesn't work from command line either:

ldap_simple_bind: Can't connect to the LDAP server - Invalid argument

I may have some time later to look deeper into what is happening.

We should try to use -H instead of -h and -b for ldapsearch.

That is what I thought, but:
-H display usage information
mozldap ldapsearch is a bit different from openldap ldap client tools.

It turns out mozldap ldapsearch tool uses nssdb for certificate verification and you can't turn it off. That means, that for mozldap ldapsearch you need to create nssdb databases and put ca certificate into this DB to make it work, otherwise you will get SSL initialization failed: error -8015 (unknown) error.
These are the steps I did:

Run mozldap ldap search with SSL enabled:

# /usr/lib64/mozldap/ldapsearch -x -h ldaphost -p 636 -b 'ou=People,dc=domain,dc=tld' -s base -D 'cn=Directory Manager' -w - -J '1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager' '(objectclass=*)' -Z
SSL initialization failed: error -8015 (unknown)

Notice -Z at the end of commnd

Create NSSDB:

# certutil -N -d /path/to/nssdb

I used empty password for the database. Verify that it is created:

# certutil -L -d /path/to/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Note: you can use . as /path/to/nssdb to create DB in the current directory.

Add CA certificate to the database. You will need a certificate in pem format to import:

# certutil -d . -A -n "Wildcard domain.tld certificate" -i /path/to/domain.tld.ca.crt -t 'C,,'

Verify that the certificate is in DB:

# certutil -L -d /path/to/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Wildcard domain.tld certificate                               C,,

Run the mozldap ldapsearch tool again:

/usr/lib64/mozldap/ldapsearch -x -h ldaphost -p 636 -P /path/to/nssdb -b 'ou=People,dc=domain,dc=tld' -s base -D 'cn=Directory Manager' -w - -J '1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager' '(objectclass=*)' -Z

Now the search works. It works even without -P if you run it being in the directory where you have created NSSDB, in other words it looks like default path to NSSDB (-P parameter) is ..
So it looks like for Kolab WAP to work with ldaps mozldap ldapsearch command should be use with -Z to enable SSL and with -P /path/to/nssdb and nssdb is created in /path/to/nssdb/ directory.

pasik added a subscriber: pasik.Nov 25 2017, 2:31 PM