[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dovecot can't connect to openldap over starttls

Am 2017-03-20 14:29, schrieb Dan White:
On 03/19/17 09:07 +0100, info@gwarband.de wrote:
Am 2017-03-19 01:09, schrieb Dan White:
On 03/17/2017 04:27 PM, info@gwarband.de wrote:

Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177) Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=, lip=, session=<gcDtzHFKbwCVrKuU>


uris = ldap://ldap.gwarband.de
dn = cn=T000000002,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail
user_filter =
pass_attrs = email=user
pass_filter =


# Certificate
TLSCACertificateFile    /etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile  /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile   /etc/ssl/certs/gwarbandDE_LDAP.key
TLSProtocolMin      3.1
TLSVerifyClient     never

# Read slapd.conf(5) for possible values
loglevel            256

There are more verbose options.

# Include ACLs
include         /etc/ldap/acl.conf

What are the contents of /etc/ldap/ldap.conf?

The ldap.conf has no difference to the dovecot-ldap.conf.
See: https://gwarband.de/openldap/ldap.conf
The point "TLS_REQCERT" is in both confs "demand". I've changed it after that.

The ldapsearch command works also under the user "dovecot"
See: https://gwarband.de/openldap/ldapsearch-dovecot.log

~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"

There is a difference in your binding DN.

Debug Dovecot's implementation of ldap_start_tls_s().

The loglevel was manually edited to -1 ("any") and the log shows the output of this loglevel.

Yes the binding DN is diffrent, but I have also tried the "cn=T000000002,ou=tech,dc=gwarband,dc=de" with no success.

I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log.