Dovecot can't connect to openldap over starttls
info at gwarband.de
info at gwarband.de
Sat Mar 18 14:31:36 EET 2017
I've replicate the settings from ldapsearch to dovecot but no success.
To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and
dovecot has read access to that file.
I have enabled the debugging in dovecot and have uploaded the output:
https://gwarband.de/openldap/dovecot-connect.log
And the other site with ldapsearch:
https://gwarband.de/openldap/ldapsearch-connect.log
I'm pretty sure that there is a problem with the sslhandshaking between
openldap and dovecot, but I can't find the source of the problem.
One of the steps in the sslhandshaking is not success but in the
debugging output I can't find any line with a hit to it.
Tobias
Am 2017-03-18 12:30, schrieb Tomas Habarta:
> Well, if ldapsearch works, try to replicate its settings for dovecot
> client.
> It's not obvious what settings ldapsearch uses, have a look at default
> client settings in /etc/openldap/ldap.conf, there may be something set
> a
> slightly different way.
> Also double check permissions for files used by dovecot, I mean mainly
> the file listed for tls_ca_cert_file as dovecot may not have an access
> for reading...
>
> I cannot see anything downright bad, just posted CA cert (which is ok,
> tested) is *.crt and your config mentions *.pem but I consider it's
> the
> same file.
>
> Finally, I would recommend to enable debug option for dovecot's client
> debug_level = -1 (which logs all available) in your dovecot-ldap.conf
> to see what the library reports and work further on that.
> You can compare with output from ldapsearch by adding -d-1 switch to
> it.
>
> Hard to tell more at the moment.
>
>
> Tomas
>
> On 03/18/2017 09:41 AM, info at gwarband.de wrote:
>> Hello,
>>
>> I have also installed LE certs.
>> But nothing helps, I have double-checking all certs.
>>
>> ldapsearch with -ZZ works see:
>> https://gwarband.de/openldap/ldapsearch.log
>>
>> I have also uploaded the TLSCACertificateFile, maybe I have a failure
>> in
>> the merge of the two fiels:
>> https://gwarband.de/openldap/LetsEncrypt.crt
>>
>> And also I have uploaded my complete openldap configuration:
>> https://gwarband.de/openldap/openldap.conf
>>
>> All other components can work and communicate with my openldap
>> server.
>> The components are postfix, openxchange, apache (phpldapadmin).
>>
>> My installated software is:
>> Debian 8
>> OpenLDAP 2.4.40
>> Dovecot 2.2.13
>>
>> I hope you can find the issue.
>>
>> Thanks,
>> Tobias
>>
>> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>>> Hi,
>>>
>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over
>>> the
>>> unix socket on the same machine, but tried over inet with STARTTLS
>>> and
>>> it's working ok...
>>>
>>> I would suggest double-checking key/certs setup on OpenLDAP side;
>>> for
>>> the test I have used LE certs, utilizing following cn=config
>>> attributes:
>>>
>>> olcTLSCertificateKeyFile contains private key
>>> olcTLSCertificateFile contains certificate
>>> olcTLSCACertificateFile contains both certs (DST Root CA X3
>>> and Let's Encrypt Authority X3)
>>>
>>> and used the same CA file in Dovecot's tls_ca_cert_file
>>>
>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ...
>>> ?
>>>
>>>
>>>
>>> Hope that helps, good luck ;)
>>> Tomas
>>>
>>>
>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote:
>>>> Hello guys,
>>>>
>>>> actually I'm trying to configure dovecot to access openldap for
>>>> passwordcheck.
>>>> My openldap is only allow access over "secure ldap".
>>>> The dovecot can communicate with the openldap server but there is
>>>> maybe
>>>> a failure in the sslhandshake.
>>>> Additional information you can find in the logs or in the dump
>>>> below.
>>>> Also I have my ldap config from dovecot in the links below.
>>>>
>>>> I have already created an bug reporting in the system of openldap
>>>> but
>>>> the answer was to get support from her.
>>>>
>>>> All datalinks:
>>>> https://gwarband.de/openldap/dovecot.log
>>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>>> https://gwarband.de/openldap/openldap.log
>>>> https://gwarband.de/openldap/trace.dump
>>>>
>>>> The bugreportinglink from openldap:
>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>>
>>>> I hope you can help me.
>>>>
>>>> Regards.
>>>> Tobias Warband
More information about the dovecot
mailing list