Openldap StartTLS


Using openfire 3.7.1 on freebsd and was wondering about tls for openldap. It seems the feature list and change log both say tls is supported, but it doesn’t seem to be so for ldap. Does openfire support this and if so, is there a way to enable it ( there isn’t through the setup interface).



1 Like

Ok, there is absolutely no option for startTLS. I found a number of refs for a patch that does enable a startTLS option and even says it was included in the following release, but this was a few years ago and apparently this patch was removed at some time.

I tried editing the openfire.xml directly and adding xml options according to de.html but it appears that openfire doesn’t read the ldap options from here but keeps going back to the db. I can’t find how to make it read the ldap options from the config file.

I was hoping I could set the startls option in the config file explictly.

The only thing that happens is the settings get overwritten each time I start (I added my ldap user as an authorized admin user). Found a reference to this issue as well, but no solutions.

Debugging doesn’t show me anything useful (in fact, nothing at all when I try to test connection during setup). And everything from the slapd end of things indicates TLS is not being used (which I already knew).

Any help on this would sure be appreciated.

Thanks, brian.

So, if you put anything in the openfire.xml file, most, some, bits and pieces will get overwritten. Not sure of what pattern there is to it.

So I found all the settings in the dastabase (ofProperties table) and edited them directly. The setup interface wasn’t even saving the ldap stuff correctly (the DN’s always got cut off).

Between that and checking the error logs for openfire and openldap I was able to figure it out. Also, setting ldap.ldapDebugEnabled doesn’t appear to do much. Nothing goes to the openfire debug log, that’s for sure. Maybe the error log?

Anyway, problem solved.


i reconfigured my openldap server to use state of the art cipher suites, protocols and also starttls insted of ssl connections.

after finishing that and changing all my applications i sadly found out that openfire was the last application in my environment that was missing the support for starttls. i found this thread and the following issue, looked at the codebase and got that daniel already submitted a patch to support starttls in the backend.

the missing part was just the frondend integration in setup routine. so i appended the properties with the missing parts, rebuild, setup ldap with starttls and found out that everything works as expected. so i did more testing and validated my connection setting by reviewing a tcpdump and tested more ldap queries and it still looks good to me.

i requested a pr on github:

it will be great if someone else can review and check if everything works for him as well, to see that feature to be fully integrate in the upcoming release. since i’m just able to jabber in english and german i filled up the other translation files with the english snippets and hope for the help of the community.

thanks for this great open-source project!