Univention Bugzilla – Bug 49975
Easy way to connect from extern via LDAPS with Let's Encrypt Certs
Last modified: 2020-06-23 19:06:53 CEST
As an administrator I want to provide easy encrypted access to my LDAP to connect to other systems. More requirements/information: * For example, the service should run on port 8636. * With some external systems you are forced to use port 636 to access the internet from outside. For this purpose, the external port 636 would have to be mapped to 8636 in the customer's firewall. This should be possible for every customer. * It must be find a solution if under 8636 already another service runs. * It must be find a solution if the server (e.g. memberserver) has no local LDAP. E.g. to provide a possibility to set a target host. This would be necessary in scenarios where one would like to hide the LDAP from outside world. * Probably no certificate must be configured in OpenLDAP or Samba but stunnel can be used (e.g. accept=8636 + connect=7389). Acceptance criteria: 1. Assuming I install the App Let's Encrypt, am in the installation (App Settings), select the checkbox "Use certificate additionally for LDAPS (Port 8636)" under Services, save, then I can perform LDAP searches via Port 8636. 2. Assuming the App Let's Encrypt is installed, I am in the App Settings, select the checkbox "Use certificate additionally for LDAPS (Port 8636)" under Services, save, then I can perform LDAP searches via Port 8636.
Created attachment 10303 [details] stunnel-Config Default configuration that should be stored. With firewall opened on the port: ucr set security/packetfilter/package/ldaps-extern-lets-encrypt/tcp/8636/all/en=LDAPS 1704 ucr set security/packetfilter/package/ldaps-extern-lets-encrypt/tcp/8636/all=ACCEPT
Probably you also want to use an LDAPS-connection from the stunnel proxy to the (remote) destination UCS server. Something like this (untested, just thinking loud): ============================================ [ldaps-proxy] accept = 8636 connect = 8389 # locally cert = /etc/univention/letsencrypt/signed_chain.crt key = /etc/univention/letsencrypt/domain.key CAfile = /etc/univention/letsencrypt/intermediate.pem [ldap+tls-client] client = yes accept = 8389 connect = <Remote-or-local-UCS-Sever>:7636 cert = /etc/univention/ssl/memberfoo/cert.pem key = /etc/univention/ssl/memberfoo/private.key CAfile = /etc/univention/ssl/ucsCA/CAcert.pem ============================================