Comments (8)
We can close this out. I figured it out. I believe I was having trouble due to specifying ldaps:// urls and also having LDAPUseTLS on.
I think the documentation could be made much more explicit in warning users NOT to enable LDAPUseTLS if you want to use ldaps:// URLs. The openldap libraries will throw an error or warning when TLS is already engaged and startTLS is attempted. I think this was causing the problem.
from proftpd.
I like the idea of this patch; in a similar vein, I have received requests about how to configure SSL/TLS certs for e.g. mod_sql talking to the SQL database via SSL/TLS (see Bug#4200).
So now I'm wondering whether these sorts of settings can be reused and/or configured in mod_tls, and used by other modules such as mod_ldap, mod_sql, etc. What would you think of that idea?
from proftpd.
I'm not sure it would be correct, because usually those certificates are different. Of course there are cases when someone use one certificate+key for everything on 200 boxes, but I wouldn't trust such "secure" network :-) And at least client certificates for LDAP and SQL database should not be the same.
from proftpd.
Agreed about using different certificates for SQL databases vs LDAP directories. For the recent 1.3.6rc2 release, I ended up enhancing the existing mod_sql
directives to take optional TLS-related parameters (for cert, key, and CA). I'm thinking that this patch could be adjusted to do something similar for mod_ldap
, e.g.:
LDAPServer ... ssl-ca:/path/to/ca.pem ssl-cert:/path/to/cert.pem ssl-key:/path/to/key.pem
Given the way that TLS stacks are moving away from CRLs and more towards OCSP, I'm thinking that the CRL-related tweaks may not be needed. At least not initially. Thoughts?
from proftpd.
What root certificates does mod_ldap check against? I'm having trouble using LDAPS against Active Directory using a server certificate generated from our enterprise CA. I would have assumed it would check the local list of root certs.
I'm on CentOS 7. I've added our trusted root certificate to the certificate store and proved it's in the ca-bundle.crt list following these directions.
I can confirm connectivity to my AD server using the openssl client, but mod_ldap fails to connect.
Thanks.
from proftpd.
@silverl Assuming your mod_ldap
uses the OpenLDAP library, then you would look for your /etc/openldap/ldap.conf
file; this is the configuration file for OpenLDAP client functionality (including the library-using applications like mod_ldap
). In that ldap.conf
, you would look for (and/or add) the TLS_CACERT
and/or TLS_CACERTDIR
directives, per the [OpenLDAP TLS configuration docs](http://www.openldap.org/doc/admin24/tls.html#TLS Configuration); see section 16.2.2.1 and 16.2.2.2.
from proftpd.
@silverl Issue #946 should address the configuration issue you encountered.
from proftpd.
Now supported in master
, using a slightly different syntax (to allow for server-specific settings).
from proftpd.
Related Issues (20)
- Debian 11+ProFTPd startup error: proftpd.service: Can't open PID file /run/proftpd.pid - Not connecting from net. HOT 6
- SFTP algorithm settings in <Global> section not being used HOT 12
- Support obtaining default UID/GID values for Microsoft AD domains in mod_ldap HOT 1
- memory leak in function 'json_mkstring' HOT 1
- Null pointer reference encountered for FTPS connection due to config parser ignoring Include file problem HOT 12
- Add support for OpenSSL 3.x SSL_sendfile in mod_tls
- 1.3.9rc1 mod_sftp fails to compile if EVP_chacha20 is unavailable HOT 5
- Compiling ProFTPD 1.3.8a mod_sftp, mod_tls using libressl 3.7.3 fails HOT 5
- Proftpd randomly not writing to transfer log HOT 2
- How to start proftpd using a non-root user ? HOT 2
- TransferLog to FIFO got permission denied HOT 5
- SFTP publickey authorisation and AGEPWD on debian 12 HOT 4
- mod_sftp seg fault on EXT_INFO from Bitvise SSH Client HOT 10
- Latest proftpd cant compile on freebsd 13.2 HOT 3
- Error resolving DNS name for implicit "server config" vhost leads to DelayTable not being found HOT 9
- Add support for variables from mod_sql in mod_sftp HOT 1
- Support reading OpenSSH-specific SSH public keys via custom module HOT 6
- Log message for exceeding quota does not include the user/group/class quota type HOT 5
- Install Proftpd from source in CentOS. HOT 2
- mod_sftp has low performance HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from proftpd.