[Ilugc] Need help on issue with ldaps in zimbra

Shrinivasan T tshrinivasan at gmail.com
Fri Aug 17 00:21:59 IST 2012


I have a zimbra mail server.

Recently I wanted to move to ldaps from ldap for higher security.

Did the following steps to do this.

zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636
zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_port=636
zmcontrol stop && zmcontrol start

wiki.zimbra.com/wiki/How_to_enable_ldaps

But, after this, external ldap tools can not connect to the server.

I can query the records within the server using ldapsearch.

If I do ldapsearch from external server, throwing following error.


ldapsearch -x -v -H 'ldaps://mail.domain.com/' -b
'ou=people,dc=domain,dc=com'  -D
'uid=test1,ou=people,dc=domain,dc=com' -W -d -1
ldap_url_parse_ext(ldaps://mail.domain.com/)
ldap_initialize( ldaps://mail.domain.com:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://mail.domain.com:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mail.domain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 203.124.153.100:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
tls_write: want=117, written=117
  0000:  16 03 00 00 70 01 00 00  6c 03 03 50 2d 1e 2e 73   ....p...l..P-..s
  0010:  62 93 ae e4 3d 82 3a 3e  d2 39 28 9a d1 e8 f1 46   b...=.:>.9(....F
  0020:  0a 6f 01 fe 23 00 24 e1  47 c0 fc 00 00 30 00 33   .o..#.$.G....0.3
  0030:  00 67 00 45 00 39 00 6b  00 88 00 16 00 32 00 40   .g.E.9.k.....2.@
  0040:  00 44 00 38 00 6a 00 87  00 13 00 66 00 2f 00 3c   .D.8.j.....f./.<
  0050:  00 41 00 35 00 3d 00 84  00 0a 00 05 00 04 01 00   .A.5.=..........
  0060:  00 13 ff 01 00 01 00 00  0d 00 0a 00 08 04 02 04   ................
  0070:  01 02 01 02 02                                     .....
tls_read: want=5, got=5
  0000:  16 03 01 00 51                                     ....Q
tls_read: want=81, got=81
  0000:  02 00 00 4d 03 01 50 2d  1f fa 0d e6 8e 77 c3 12   ...M..P-.....w..
  0010:  05 c7 bf a9 f0 92 36 b9  03 50 38 c0 01 fd 5a 25   ......6..P8...Z%
  0020:  0e 7e b0 36 70 22 20 ca  fd 53 f4 2b ae 2c 4c f1   .~.6p" ..S.+.,L.
  0030:  96 fd 72 84 7b 9b c9 b4  79 fa c8 ed 89 7f 46 49   ..r.{...y.....FI
  0040:  9e e6 ea 48 df e8 a2 00  2f 00 00 05 ff 01 00 01   ...H..../.......
  0050:  00                                                 .
tls_read: want=5, got=5
  0000:  16 03 01 02 b4                                     .....
tls_read: want=692, got=692
  0000:  0b 00 02 b0 00 02 ad 00  02 aa 30 82 02 a6 30 82   ..........0...0.
  0010:  02 0f a0 03 02 01 02 02  05 13 44 79 82 29 30 0d   ..........Dy.)0.
  0020:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 30 81 8e   ..*.H........0..
  0030:  31 0b 30 09 06 03 55 04  06 13 02 55 53 31 0c 30   1.0...U....US1.0
  0040:  0a 06 03 55 04 08 13 03  4e 2f 41 31 0c 30 0a 06   ...U....N/A1.0..
  0050:  03 55 04 07 13 03 4e 2f  41 31 23 30 21 06 03 55   .U....N/A1#0!..U
  0060:  04 0a 13 1a 5a 69 6d 62  72 61 20 43 6f 6c 6c 61   ....Zimbra Colla
  0070:  62 6f 72 61 74 69 6f 6e  20 53 75 69 74 65 31 23   boration Suite1#
  0080:  30 21 06 03 55 04 0b 13  1a 5a 69 6d 62 72 61 20   0!..U....Zimbra
  0090:  43 6f 6c 6c 61 62 6f 72  61 74 69 6f 6e 20 53 75   Collaboration Su
  00a0:  69 74 65 31 19 30 17 06  03 55 04 03 13 10 6d 61   ite1.0...U....ma
  00b0:  69 6c 2e 76 69 6a 61 79  74 76 2e 63 6f 6d 30 20   il.domain.com0
  00c0:  17 0d 31 32 30 38 31 32  31 39 30 33 35 33 5a 18   ..120812190353Z.
  00d0:  0f 32 31 31 32 30 37 31  39 31 39 30 33 35 33 5a   .21120719190353Z
  00e0:  30 81 80 31 0b 30 09 06  03 55 04 06 13 02 55 53   0..1.0...U....US
  00f0:  31 0c 30 0a 06 03 55 04  08 13 03 4e 2f 41 31 23   1.0...U....N/A1#
  0100:  30 21 06 03 55 04 0a 13  1a 5a 69 6d 62 72 61 20   0!..U....Zimbra
  0110:  43 6f 6c 6c 61 62 6f 72  61 74 69 6f 6e 20 53 75   Collaboration Su
  0120:  69 74 65 31 23 30 21 06  03 55 04 0b 13 1a 5a 69   ite1#0!..U....Zi
  0130:  6d 62 72 61 20 43 6f 6c  6c 61 62 6f 72 61 74 69   mbra Collaborati
  0140:  6f 6e 20 53 75 69 74 65  31 19 30 17 06 03 55 04   on Suite1.0...U.
  0150:  03 13 10 6d 61 69 6c 2e  76 69 6a 61 79 74 76 2e   ...mail.domain.
  0160:  63 6f 6d 30 81 9f 30 0d  06 09 2a 86 48 86 f7 0d   com0..0...*.H...
  0170:  01 01 01 05 00 03 81 8d  00 30 81 89 02 81 81 00   .........0......
  0180:  c2 ea fe 28 84 d8 50 e2  e3 48 67 53 f2 68 1f e3   ...(..P..HgS.h..
  0190:  ea 6f 4a da 6b 96 c5 31  3d fb 67 b1 9f 53 59 5c   .oJ.k..1=.g..SY\
  01a0:  de cb ee a3 f1 b2 fe 50  ca 70 95 78 86 a2 ae dc   .......P.p.x....
  01b0:  53 52 bd 05 87 c2 03 32  56 3b 10 dd ef a5 4a 75   SR.....2V;....Ju
  01c0:  67 4a a2 60 f5 48 86 bc  eb a8 9d 61 ad 14 88 86   gJ.`.H.....a....
  01d0:  b0 f1 18 92 1e 68 65 99  9d 1a de c1 fc 4e c8 12   .....he......N..
  01e0:  6d 6f 6a 39 9b a4 4b 22  f0 28 0f 64 17 2b 8b 01   moj9..K".(.d.+..
  01f0:  ce 4e f0 59 ab cf 73 ea  6b cf f7 32 18 76 7f 8d   .N.Y..s.k..2.v..
  0200:  02 03 01 00 01 a3 1a 30  18 30 09 06 03 55 1d 13   .......0.0...U..
  0210:  04 02 30 00 30 0b 06 03  55 1d 0f 04 04 03 02 05   ..0.0...U.......
  0220:  e0 30 0d 06 09 2a 86 48  86 f7 0d 01 01 04 05 00   .0...*.H........
  0230:  03 81 81 00 bc 4a db 09  fe 15 f0 6c b9 18 86 cc   .....J.....l....
  0240:  fc e7 1d e7 90 a9 f0 42  d2 af fa 13 9c e7 92 04   .......B........
  0250:  b2 ea 74 5b c3 b9 c8 33  2d 16 b2 82 4c f0 07 d1   ..t[...3-...L...
  0260:  26 19 4b e0 1d 08 7d 56  dd c6 c7 dc a2 4f 9b db   &.K...}V.....O..
  0270:  66 d5 5b 39 1d 2f ed 1e  7e cb ab cc 0b 93 34 86   f.[9./..~.....4.
  0280:  22 78 9a 6d 14 81 c7 9c  44 8a b6 c6 f2 2b 89 7c   "x.m....D....+.|
  0290:  e1 d9 94 64 d7 c5 4c 8b  40 b1 6e 68 35 dd c1 7b   ...d..L. at .nh5..{
  02a0:  74 f1 ad f0 12 6f 73 93  0f 39 e0 b3 cb 0a cd 54   t....os..9.....T
  02b0:  70 58 21 5c                                        pX!\
tls_read: want=5, got=5
  0000:  16 03 01 00 04                                     .....
tls_read: want=4, got=4
  0000:  0e 00 00 00                                        ....
tls_write: want=139, written=139
  0000:  16 03 01 00 86 10 00 00  82 00 80 80 9a 48 cc cc   .............H..
  0010:  ea 83 ea 8e 84 98 15 76  59 25 91 83 c0 6c 12 e2   .......vY%...l..
  0020:  32 50 38 86 6a d9 6e 19  dc a7 60 73 91 24 5c da   2P8.j.n...`s.$\.
  0030:  90 cb 32 5d e9 45 0b df  c6 7d 47 4d 2a fe 74 e9   ..2].E...}GM*.t.
  0040:  90 6e 33 fc 42 09 43 e0  e9 5e 66 c3 03 10 9b 03   .n3.B.C..^f.....
  0050:  e3 a0 2e 5f 9f f6 ce 9f  99 10 57 1d 2b ad f3 29   ..._......W.+..)
  0060:  a7 d8 93 2c 0b 95 e2 c3  57 6b e7 55 b7 5c 55 b8   ...,....Wk.U.\U.
  0070:  9b 36 cc 79 ee 3d e9 e3  64 37 f7 59 95 72 7d 79   .6.y.=..d7.Y.r}y
  0080:  b7 81 28 b1 c5 7b 14 75  df 91 00                  ..(..{.u...
tls_write: want=6, written=6
  0000:  14 03 01 00 01 01                                  ......
tls_write: want=229, written=229
  0000:  16 03 01 00 e0 df c0 ea  8a 8c f5 94 28 cb 61 f5   ............(.a.
  0010:  cf c4 b1 b7 09 3a 86 99  f1 f4 2b 5d 6a 16 da b6   .....:....+]j...
  0020:  44 17 0f 7d 71 9d 0b e5  b5 e2 b1 01 33 63 7f 06   D..}q.......3c..
  0030:  c0 57 7b c5 ba 66 37 60  92 b4 8e f8 87 b3 6f 61   .W{..f7`......oa
  0040:  5d cf a2 80 4e e2 a4 69  53 69 60 3b d9 2c 8b 18   ]...N..iSi`;.,..
  0050:  e6 39 03 73 dd 17 74 d5  97 47 84 7d 62 42 1b 94   .9.s..t..G.}bB..
  0060:  77 7c 44 77 b8 f9 59 37  cb 52 15 07 94 e6 eb fe   w|Dw..Y7.R......
  0070:  f0 a7 ab 04 f7 1b 03 e9  a5 25 53 70 e4 20 47 d4   .........%Sp. G.
  0080:  a4 01 3b de 4b 7f 4b ff  06 d0 90 cf 98 14 fd 94   ..;.K.K.........
  0090:  f9 85 6e 25 6a 61 47 0a  df 3d 79 94 b8 ee d2 04   ..n%jaG..=y.....
  00a0:  da ab b4 99 39 e1 55 09  3a 00 4a 31 72 86 bd ed   ....9.U.:.J1r...
  00b0:  cb ae de 33 74 0e e6 d5  1d 37 8f a9 b8 6e 9a 61   ...3t....7...n.a
  00c0:  f1 5a 66 52 f1 89 2c 5e  2b f7 f6 e6 85 6b 70 6a   .ZfR..,^+....kpj
  00d0:  a0 95 6c 5e c3 d2 f9 d6  a3 bc 53 96 9b 43 39 3a   ..l^......S..C9:
  00e0:  5a 4d 1f c9 84                                     ZM...
tls_read: want=5, got=5
  0000:  14 03 01 00 01                                     .....
tls_read: want=1, got=1
  0000:  01                                                 .
tls_read: want=5, got=5
  0000:  16 03 01 00 30                                     ....0
tls_read: want=48, got=48
  0000:  cf 15 d2 46 4b 19 cc 6c  12 35 fb aa 5b fe ef 8e   ...FK..l.5..[...
  0010:  2f 60 fe 49 26 4e 3e f8  15 06 f9 09 03 de 37 22   /`.I&N>.......7"
  0020:  f4 8e 5a 0f 29 fc ea 1a  46 d5 7b 07 3f 6a 87 36   ..Z.)...F.{.?j.6
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


What is mean by the error?
TLS: peer cert untrusted or revoked (0x42)

In server side, in the file /etc/openldap/ldap.conf

I tried with both the settings.

1. TLS_REQCERT never

2. TLS_REQCERT allow

But still, getting same error.
Because of this, can not use the addressbook from any of the email
clients I use.

Please help with your suggestions to solve the issue.

Thanks.

-- 
Regards,
T.Shrinivasan


My Life with GNU/Linux : http://goinggnu.wordpress.com
Free/Open Source Jobs : http://fossjobs.in

Get CollabNet Subversion Edge :     http://www.collab.net/svnedge


More information about the ilugc mailing list