I've replicate the settings from ldapsearch to dovecot but no success.
To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and
dovecot has read access to that file.
I have enabled the debugging in dovecot and have uploaded the output:
https://gwarband.de/openldap/dovecot-connect.log
And the other site with ldapsearch:
https://gwarband.de/openldap/ldapsearch-connect.log
I'm pretty sure that there is a problem with the sslhandshaking between
openldap and dovecot, but I can't find the source of the problem.
One of the steps in the sslhandshaking is not success but in the
debugging output I can't find any line with a hit to it.
Tobias
Am 2017-03-18 12:30, schrieb Tomas Habarta:
Well, if ldapsearch works, try to replicate its settings for dovecot
client.
It's not obvious what settings ldapsearch uses, have a look at default
client settings in /etc/openldap/ldap.conf, there may be something set
a
slightly different way.
Also double check permissions for files used by dovecot, I mean mainly
the file listed for tls_ca_cert_file as dovecot may not have an access
for reading...
I cannot see anything downright bad, just posted CA cert (which is ok,
tested) is *.crt and your config mentions *.pem but I consider it's
the
same file.
Finally, I would recommend to enable debug option for dovecot's client
debug_level = -1 (which logs all available) in your dovecot-ldap.conf
to see what the library reports and work further on that.
You can compare with output from ldapsearch by adding -d-1 switch to
it.
Hard to tell more at the moment.
Tomas
On 03/18/2017 09:41 AM, i...@gwarband.de wrote:
Hello,
I have also installed LE certs.
But nothing helps, I have double-checking all certs.
ldapsearch with -ZZ works see:
https://gwarband.de/openldap/ldapsearch.log
I have also uploaded the TLSCACertificateFile, maybe I have a failure
in
the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt
And also I have uploaded my complete openldap configuration:
https://gwarband.de/openldap/openldap.conf
All other components can work and communicate with my openldap
server.
The components are postfix, openxchange, apache (phpldapadmin).
My installated software is:
Debian 8
OpenLDAP 2.4.40
Dovecot 2.2.13
I hope you can find the issue.
Thanks,
Tobias
Am 2017-03-17 22:48, schrieb Tomas Habarta:
Hi,
been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over
the
unix socket on the same machine, but tried over inet with STARTTLS
and
it's working ok...
I would suggest double-checking key/certs setup on OpenLDAP side;
for
the test I have used LE certs, utilizing following cn=config
attributes:
olcTLSCertificateKeyFile contains private key
olcTLSCertificateFile contains certificate
olcTLSCACertificateFile contains both certs (DST Root CA X3
and Let's Encrypt Authority X3)
and used the same CA file in Dovecot's tls_ca_cert_file
Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ...
?
Hope that helps, good luck ;)
Tomas
On 03/17/2017 04:27 PM, i...@gwarband.de wrote:
Hello guys,
actually I'm trying to configure dovecot to access openldap for
passwordcheck.
My openldap is only allow access over "secure ldap".
The dovecot can communicate with the openldap server but there is
maybe
a failure in the sslhandshake.
Additional information you can find in the logs or in the dump
below.
Also I have my ldap config from dovecot in the links below.
I have already created an bug reporting in the system of openldap
but
the answer was to get support from her.
All datalinks:
https://gwarband.de/openldap/dovecot.log
https://gwarband.de/openldap/dovecot-ldap.conf
https://gwarband.de/openldap/openldap.log
https://gwarband.de/openldap/trace.dump
The bugreportinglink from openldap:
http://www.openldap.org/its/index.cgi/Incoming?id=8615
I hope you can help me.
Regards.
Tobias Warband
