Skip to Content.
Sympa Menu

en - Re: [sympa-users] LDAP useing startTLS or SSL

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] LDAP useing startTLS or SSL

Chronological Thread  
    < Chronological >       < Thread >
  • From: "Stefan Hornburg (Racke)" <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-users] LDAP useing startTLS or SSL
  • Date: Sat, 7 Aug 2021 08:26:02 +0200
On 04/08/2021 23:01, Warren G Anderson wrote:
Hi,

We have a sympa 6.1.23 instance for which we use LDAP to do the following:

1) subscriber data sources for lists via the list configs
2) moderator data sources using .incl files in /etc/sympa/data_sources
3) scenarios using search filters in /etc/sympa/search_filters

For the first two, we can use TLS to secure the LDAP binds using the
configuration syntax:

use_ssl yes
ssl_version tlsv1

For the search filters, we have not been able to figure out how to do a bind
over TLS. An example of a search_filter file we are using is:

host            ldap.example.org:389
suffix          ou=people,dc=example,dc=org
filter          (&(|(mail = [sender])(mailAlternateAddress =
[sender])(mailForwardingAddress = [sender]))(isMemberOf=GroupOfExampleOrgUsers))
scope           sub

The obvious thing to try was to switch the port to 636 in the host line in
hopes that that would use SSL, but the bind failed. Adding the config
lines|use_ssl yes|​ and|ssl_version tlsv1|​ also did not result in a
successful bind. We cannot find in the docs an example of a search_filter
that uses TLS for LDAP binds. Is it possible?

Warren

Warren G Anderson, Ph.D.

Leonard E Parker Center for Gravitation, Cosmology and Astrophysics


Hello Warren,

in current Sympa versions the search filter is loaded by the
_load_ldap_configuration function in Sympa::Scenario.

There you find valid and required options for the search_filter file:

my @valid_options = qw(host suffix filter scope bind_dn bind_password
use_tls ssl_version ssl_ciphers ssl_cert ssl_key
ca_verify ca_path ca_file);
my @required_options = qw(host suffix filter);

Check your Sympa source code about the available options.

If you need help to upgrade to a more modern version of Sympa, let me know
:-).

Regards
Racke


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.


Archive powered by MHonArc 2.6.19+.

Top of Page