Secure Connection

If you want to connect to your directory server using SSL connection, you should use following syntax for the Hostname specification: {protocol}://{hostname or ip}{:port}

Example:

ldaps://ad.icewarpdemo.com

ldaps://182.164.6.24:636

Connection to the directory server via TLS (STARTTLS command) is not supported up to current build (11.4.0.0).

OpenLDAP library (Linux builds)

To establish secure connection when OpenLDAP library (openldap.dll) is used, do the following:

  1. Modify the LDAP client config file (IceWarp\ldap\ldap.conf) - append a line containing TLS_REQCERT never.

    (This directive forces IceWarp Server to accept SSL certificate even if it is not signed by a trusted certificate authority.)

  2. Tell the OpenLDAP library where to find this modified ldap.conf file.

    IceWarp Server uses OpenLDAP libraries. They expect the ldap.conf file in a specific path. It is searched for this file in the current working directory of the process that calls it and in the location defined by LDAPCONF environment variable.

    The easiest way how to make configuration file available in the environmental variable pointed to default location already mentioned above. In Windows, open Control panel/System/Advanced System Settings/Advanced/Environment Variables and add a new system variable named LDAPCONF. Fill in the path and file name as a value of this variable e. g. c:/Program Files/IceWarp/ldap/ldap.conf (without quotation marks).

    You need to reload the IceWarp Server administration console and restart all modules as well as to apply changes.

Windows library (Windows builds)

This library requires AD certificate to be trusted on the machine where IceWarp Server is installed. To establish secure connection with this synchronization library follow these steps:

  1. Get a copy of certificate used by AD server. This can be easily done with any third party LDAP browser. If the certificate is not trusted already (no security alert will pop-up) you need to make it trusted. Most probably the issuer will be unknown. You need to get either AD server certificate if self-signed or issuer CA root certificate if certificate was issued elsewhere than on AD itself. Be aware that certificate can appear trusted as it can be imported to the certificate storage of current user, but this is not sufficient for services - see next step. 
  2. Import the certificate to Trusted Root Certification Authorities storage into the scope of Computer account on machine running IceWarp Server so even service started under local system account can access it. The way of import slightly differs between server and workstation version of Microsoft Windows. On Windows Server platforms you have to run mmc console (mmc.exe) and add certificate manager to it - you will be able to choose the scope during the process.
  3. Make sure certificate attribute cn and Hostname used within IceWarp Server domain directory service match. This is absolutely essential.