[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dovecot can't connect to openldap over starttls



On 03/19/17 09:07 +0100, info@gwarband.de wrote:
Am 2017-03-19 01:09, schrieb Dan White:
On 03/17/2017 04:27 PM, info@gwarband.de wrote:
https://gwarband.de/openldap/dovecot.log

Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177)
Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>

https://gwarband.de/openldap/dovecot-ldap.conf

uris = ldap://ldap.gwarband.de
dn = cn=T000000002,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail
user_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
pass_attrs = email=user
pass_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))

https://gwarband.de/openldap/openldap.conf

# Certificate
TLSCACertificateFile    /etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile  /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile   /etc/ssl/certs/gwarbandDE_LDAP.key
TLSCipherSuite
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin      3.1
TLSVerifyClient     never

# Read slapd.conf(5) for possible values
loglevel            256

There are more verbose options.

# Include ACLs
include         /etc/ldap/acl.conf

What are the contents of /etc/ldap/ldap.conf?

The ldap.conf has no difference to the dovecot-ldap.conf.
See: https://gwarband.de/openldap/ldap.conf
The point "TLS_REQCERT" is in both confs "demand". I've changed it after that.

The ldapsearch command works also under the user "dovecot"
See: https://gwarband.de/openldap/ldapsearch-dovecot.log

~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"

There is a difference in your binding DN.

Debug Dovecot's implementation of ldap_start_tls_s().

--
Dan White