The mailing list for listmasters using Sympa

[Marco Gaiarin <address@concealed>]

Mandi! Olivier Salaün
  In chel dì si favelave...

OSn> The include_ldap_query feature is not SSL-enabled in Sympa 5.2.3. All 
OSn> LDAP connectors have been merged in Sympa 5.3 to fill this gap.

Oh... ;(((


OSn>    2. set up an stunnel server that does LDAP on the Sympa side and
OSn>       LDAPS on the remote server side. Check <http://www.stunnel.org/>
OSn>       if you don't know what stunnel is.

Cool! I know stunnel, but i've used before as a 'server', i was not
aware that can be used in 'client' mode... if you want to put in wiki,
i've simply done:

1) added to /etc/inetd.conf these:

        # Stunnel verso i server LDAP...
        #
        52389   stream  tcp     nowait  root    /usr/bin/stunnel stunnel -c 
-r ldap.corsi.sv.lnf.it:636 -N ldapcorsi
        27389   stream  tcp     nowait  root    /usr/bin/stunnel stunnel -c 
-r ldap.pp.lnf.it:636 -N ldappp
        39389   stream  tcp     nowait  root    /usr/bin/stunnel stunnel -c 
-r ldap.ud.lnf.it:636 -N ldapud

-N <> mandatory, see below.
Certificate stuff ignored, i'm using a local autogenerated CA for every
SSL-enabled services in my LAN/WAN, so SSL setup was just ready.

2) (mandatory) prevent access to 'redirected' ldap server apart from
localhost, using 'tcpwrapper service name' defined with -N option
above:

in /etc/hosts.deny

        # Divieto di accesso ai tunnel LDAP
        #
        ldapcorsi: ALL
        ldappp: ALL
        ldapud: ALL

in /etc/hosts.allow

        # Permetto solo l'accesso da localhost ai tunnel LDAP
        #
        ldapcorsi: 127.0.0.1 10.5.1.3
        ldappp: 127.0.0.1 10.5.1.3
        ldapud: 127.0.0.1 10.5.1.3

Then i've restarted inetd.


In sympa i've only used as a 'ldap host' in the form 'localhost:port',
eg:

        localhost:27389

and all works flawlessy!!! ;)))

-- 
  Mi piaccion le fiabe
  raccontane altre                                      (F. Guccini)