Support configurable certificate settings in LDAP SSL/TLS connections about proftpd HOT 8 CLOSED

We can close this out. I figured it out. I believe I was having trouble due to specifying ldaps:// urls and also having LDAPUseTLS on.

I think the documentation could be made much more explicit in warning users NOT to enable LDAPUseTLS if you want to use ldaps:// URLs. The openldap libraries will throw an error or warning when TLS is already engaged and startTLS is attempted. I think this was causing the problem.

from proftpd.

I like the idea of this patch; in a similar vein, I have received requests about how to configure SSL/TLS certs for e.g. mod_sql talking to the SQL database via SSL/TLS (see Bug#4200).

So now I'm wondering whether these sorts of settings can be reused and/or configured in mod_tls, and used by other modules such as mod_ldap, mod_sql, etc. What would you think of that idea?

from proftpd.

I'm not sure it would be correct, because usually those certificates are different. Of course there are cases when someone use one certificate+key for everything on 200 boxes, but I wouldn't trust such "secure" network :-) And at least client certificates for LDAP and SQL database should not be the same.

from proftpd.

Agreed about using different certificates for SQL databases vs LDAP directories. For the recent 1.3.6rc2 release, I ended up enhancing the existing mod_sql directives to take optional TLS-related parameters (for cert, key, and CA). I'm thinking that this patch could be adjusted to do something similar for mod_ldap, e.g.:

LDAPServer ... ssl-ca:/path/to/ca.pem ssl-cert:/path/to/cert.pem ssl-key:/path/to/key.pem

Given the way that TLS stacks are moving away from CRLs and more towards OCSP, I'm thinking that the CRL-related tweaks may not be needed. At least not initially. Thoughts?

from proftpd.

What root certificates does mod_ldap check against? I'm having trouble using LDAPS against Active Directory using a server certificate generated from our enterprise CA. I would have assumed it would check the local list of root certs.

I'm on CentOS 7. I've added our trusted root certificate to the certificate store and proved it's in the ca-bundle.crt list following these directions.

I can confirm connectivity to my AD server using the openssl client, but mod_ldap fails to connect.

Thanks.

from proftpd.

@silverl Assuming your mod_ldap uses the OpenLDAP library, then you would look for your /etc/openldap/ldap.conf file; this is the configuration file for OpenLDAP client functionality (including the library-using applications like mod_ldap). In that ldap.conf, you would look for (and/or add) the TLS_CACERT and/or TLS_CACERTDIR directives, per the [OpenLDAP TLS configuration docs](http://www.openldap.org/doc/admin24/tls.html#TLS Configuration); see section 16.2.2.1 and 16.2.2.2.

from proftpd.

@silverl Issue #946 should address the configuration issue you encountered.

from proftpd.

Now supported in master, using a slightly different syntax (to allow for server-specific settings).

from proftpd.