Dovecot can't connect to openldap over starttls

info at gwarband.de info at gwarband.de
Mon Mar 20 15:04:13 EET 2017 

I've tested your soulution, but it also says the same error.
I've tested all combinations of:
        - tls_ca_cert_file = <cert>
        - tls = yes
        - tls_require_cert = demand

Every time it says "Connection error".
Only when tls is uncommented it says "TLS required".

Additional information from my contact with the openldap-technical 
mailing list:
The ldapsearch under the user dovecot with -ZZ works fine.
And they mention that the ldap.conf and dovecot-ldap.conf should have 
no differences, that is correct no differences.
Here is a link to the ldap.conf
https://gwarband.de/openldap/ldap.conf
And the output of ldapsearch under dovecot:
https://gwarband.de/openldap/ldapsearch-dovecot.log

Tobias

Am 2017-03-20 11:00, schrieb Tomas Habarta:
> I've finally managed that running on Debian 8 test machine by 
> commenting
> 	tls_ca_cert_file =
> option from dovecot-ldap.conf, so only
> 	tls = yes
> 	tls_require_cert = demand
> 
> Not sure why is that as on my CentOS6 Dovecot works even with that
> commented option. May be that CentOS and Debian uses different ldap
> library or different versions or there's another peculiarity ...
> 
> Anyway, when tls_require_cert = demand is set, cite:
> --
> With a setting of demand the certificate is requested and a valid
> certificate must be provided, otherwise the session is immediately
> terminated.
> --
> 
> As that option doesn't provide any source, it is taken from
> /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot 
> client
> times out on validating provided certificate with
> 
> imap-login: Error: Timeout waiting for handshake from auth server.
> imap-login: Disconnected: Auth process broken (disconnected before 
> auth
> was ready, waited 30 secs)
> 
> 
> 
> Tomas
> 
> 
> On 03/18/2017 02:22 PM, info at gwarband.de wrote:
>> The serverlog of openldap with loglevel "any":
>> https://gwarband.de/openldap/openldap-connect.log
>> Note: openldap waits 1 Minute before he says "TLS negotiation 
>> failure"
>> after the connect.
>> and dovecot says direct "Connect error"
>> 
>> I've also delete the TLSCipherSuite from openldap.
>> 
>> Tobias
>> 
>> Am 2017-03-18 14:01, schrieb Tomas Habarta:
>>> Increase log level on server side as well to see what the server 
>>> says...
>>> You may remove anything in TLSCipherSuite for the purpose of testing 
>>> too.
>>> 
>>> Hopefully anyone knowing OpenLDAP internals could help you analyse 
>>> it
>>> more deeply.
>>> 
>>> Tomas
>>> 
>>> On 03/18/2017 01:31 PM, info at gwarband.de wrote:
>>>> I've replicate the settings from ldapsearch to dovecot but no 
>>>> success.
>>>> To the certificate:
>>>> Yes it's a *.crt file but I have linked the *.pem file to it and 
>>>> dovecot
>>>> has read access to that file.
>>>> 
>>>> I have enabled the debugging in dovecot and have uploaded the 
>>>> output:
>>>> https://gwarband.de/openldap/dovecot-connect.log
>>>> 
>>>> And the other site with ldapsearch:
>>>> https://gwarband.de/openldap/ldapsearch-connect.log
>>>> 
>>>> I'm pretty sure that there is a problem with the sslhandshaking 
>>>> between
>>>> openldap and dovecot, but I can't find the source of the problem.
>>>> 
>>>> One of the steps in the sslhandshaking is not success but in the
>>>> debugging output I can't find any line with a hit to it.
>>>> 
>>>> Tobias
>>>> 
>>>> Am 2017-03-18 12:30, schrieb Tomas Habarta:
>>>>> Well, if ldapsearch works, try to replicate its settings for 
>>>>> dovecot
>>>>> client.
>>>>> It's not obvious what settings ldapsearch uses, have a look at 
>>>>> default
>>>>> client settings in /etc/openldap/ldap.conf, there may be something
>>>>> set a
>>>>> slightly different way.
>>>>> Also double check permissions for files used by dovecot, I mean 
>>>>> mainly
>>>>> the file listed for tls_ca_cert_file as dovecot may not have an 
>>>>> access
>>>>> for reading...
>>>>> 
>>>>> I cannot see anything downright bad, just posted CA cert (which is 
>>>>> ok,
>>>>> tested) is *.crt and your config mentions *.pem but I consider 
>>>>> it's the
>>>>> same file.
>>>>> 
>>>>> Finally, I would recommend to enable debug option for dovecot's 
>>>>> client
>>>>>     debug_level = -1 (which logs all available) in your
>>>>> dovecot-ldap.conf
>>>>> to see what the library reports and work further on that.
>>>>> You can compare with output from ldapsearch by adding -d-1 switch 
>>>>> to
>>>>> it.
>>>>> 
>>>>> Hard to tell more at the moment.
>>>>> 
>>>>> 
>>>>> Tomas
>>>>> 
>>>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote:
>>>>>> Hello,
>>>>>> 
>>>>>> I have also installed LE certs.
>>>>>> But nothing helps, I have double-checking all certs.
>>>>>> 
>>>>>> ldapsearch with -ZZ works see:
>>>>>> https://gwarband.de/openldap/ldapsearch.log
>>>>>> 
>>>>>> I have also uploaded the TLSCACertificateFile, maybe I have a
>>>>>> failure in
>>>>>> the merge of the two fiels:
>>>>>> https://gwarband.de/openldap/LetsEncrypt.crt
>>>>>> 
>>>>>> And also I have uploaded my complete openldap configuration:
>>>>>> https://gwarband.de/openldap/openldap.conf
>>>>>> 
>>>>>> All other components can work and communicate with my openldap 
>>>>>> server.
>>>>>> The components are postfix, openxchange, apache (phpldapadmin).
>>>>>> 
>>>>>> My installated software is:
>>>>>> Debian 8
>>>>>> OpenLDAP 2.4.40
>>>>>> Dovecot 2.2.13
>>>>>> 
>>>>>> I hope you can find the issue.
>>>>>> 
>>>>>> Thanks,
>>>>>> Tobias
>>>>>> 
>>>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally 
>>>>>>> over the
>>>>>>> unix socket on the same machine, but tried over inet with 
>>>>>>> STARTTLS
>>>>>>> and
>>>>>>> it's working ok...
>>>>>>> 
>>>>>>> I would suggest double-checking key/certs setup on OpenLDAP 
>>>>>>> side; for
>>>>>>> the test I have used LE certs, utilizing following cn=config
>>>>>>> attributes:
>>>>>>> 
>>>>>>> olcTLSCertificateKeyFile    contains private key
>>>>>>> olcTLSCertificateFile        contains certificate
>>>>>>> olcTLSCACertificateFile        contains both certs (DST Root CA 
>>>>>>> X3
>>>>>>>                 and Let's Encrypt Authority X3)
>>>>>>> 
>>>>>>> and used the same CA file in Dovecot's tls_ca_cert_file
>>>>>>> 
>>>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or 
>>>>>>> ... ?
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Hope that helps, good luck ;)
>>>>>>> Tomas
>>>>>>> 
>>>>>>> 
>>>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote:
>>>>>>>> Hello guys,
>>>>>>>> 
>>>>>>>> actually I'm trying to configure dovecot to access openldap for
>>>>>>>> passwordcheck.
>>>>>>>> My openldap is only allow access over "secure ldap".
>>>>>>>> The dovecot can communicate with the openldap server but there 
>>>>>>>> is
>>>>>>>> maybe
>>>>>>>> a failure in the sslhandshake.
>>>>>>>> Additional information you can find in the logs or in the dump
>>>>>>>> below.
>>>>>>>> Also I have my ldap config from dovecot in the links below.
>>>>>>>> 
>>>>>>>> I have already created an bug reporting in the system of 
>>>>>>>> openldap
>>>>>>>> but
>>>>>>>> the answer was to get support from her.
>>>>>>>> 
>>>>>>>> All datalinks:
>>>>>>>> https://gwarband.de/openldap/dovecot.log
>>>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>>>>>>> https://gwarband.de/openldap/openldap.log
>>>>>>>> https://gwarband.de/openldap/trace.dump
>>>>>>>> 
>>>>>>>> The bugreportinglink from openldap:
>>>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>>>>>> 
>>>>>>>> I hope you can help me.
>>>>>>>> 
>>>>>>>> Regards.
>>>>>>>> Tobias Warband

More information about the dovecot mailing list