Bug 49975 - Easy way to connect from extern via LDAPS with Let's Encrypt Certs
Easy way to connect from extern via LDAPS with Let's Encrypt Certs
Status: NEW
Product: UCS
Classification: Unclassified
Component: Let's Encrypt
UCS 4.4
Other Mac OS X 10.1
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-07 14:31 CEST by Michel Smidt
Modified: 2020-06-23 19:06 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
stunnel-Config (771 bytes, text/plain)
2020-03-06 12:24 CET, Michel Smidt
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt 2019-08-07 14:31:57 CEST
As an administrator I want to provide easy encrypted access to my LDAP to connect to other systems.

More requirements/information:
* For example, the service should run on port 8636.
* With some external systems you are forced to use port 636 to access the internet from outside. For this purpose, the external port 636 would have to be mapped to 8636 in the customer's firewall. This should be possible for every customer.
* It must be find a solution if under 8636 already another service runs.
* It must be find a solution if the server (e.g. memberserver) has no local LDAP. E.g. to provide a possibility to set a target host. This would be necessary in scenarios where one would like to hide the LDAP from outside world.
* Probably no certificate must be configured in OpenLDAP or Samba but stunnel can be used (e.g. accept=8636 + connect=7389). 

Acceptance criteria:
1. Assuming I install the App Let's Encrypt, am in the installation (App Settings), select the checkbox "Use certificate additionally for LDAPS (Port 8636)" under Services, save, then I can perform LDAP searches via Port 8636.
2. Assuming the App Let's Encrypt is installed, I am in the App Settings, select the checkbox "Use certificate additionally for LDAPS (Port 8636)" under Services, save, then I can perform LDAP searches via Port 8636.
Comment 1 Michel Smidt 2020-03-06 12:24:22 CET
Created attachment 10303 [details]
stunnel-Config

Default configuration that should be stored.
With firewall opened on the port: 
ucr set security/packetfilter/package/ldaps-extern-lets-encrypt/tcp/8636/all/en=LDAPS
 1704  ucr set security/packetfilter/package/ldaps-extern-lets-encrypt/tcp/8636/all=ACCEPT
Comment 3 Arvid Requate univentionstaff 2020-06-23 19:05:51 CEST
Probably you also want to use an LDAPS-connection from the stunnel proxy to the (remote) destination UCS server.
Something like this (untested, just thinking loud):
============================================
[ldaps-proxy]
accept = 8636
connect = 8389  # locally
cert = /etc/univention/letsencrypt/signed_chain.crt
key = /etc/univention/letsencrypt/domain.key
CAfile = /etc/univention/letsencrypt/intermediate.pem

[ldap+tls-client]
client = yes
accept = 8389
connect = <Remote-or-local-UCS-Sever>:7636
cert = /etc/univention/ssl/memberfoo/cert.pem
key = /etc/univention/ssl/memberfoo/private.key
CAfile = /etc/univention/ssl/ucsCA/CAcert.pem
============================================