The user "dovecot" can access and read the cert.
Here is an output of the console:
https://gwarband.de/openldap/dovecot-certs.log
So I think there is nothing what prevent Dovecot to access the file.
Tobias
Am 2017-03-20 20:14, schrieb Tomas Habarta:
Actually, I likely managed to replicate the problem itself.
I've observed described behavior (timeout with connection error) only
if
Dovecot's tls_ca_cert_file provided either non-existent file or there
was no read access to the existing file -- found during review after
sending my last post as I run CentOS, not Debian and didn't adjust the
path correctly (/etc/ldap vs. /etc/openldap) in dovecot-ldap.conf when
setting that up.
Anyway, ldapsearch uses the same library as Dovecot so if ldapsearch
works, Dovecot _simply_ must work as well ;)
As mentioned, I normally run CentOS, where /etc/ssl/certs has SELinux
security context; don't you by any chance run something similar which
may prevent Dovecot from accessing the file?
I tested on Debian 8 with the standard repo software (same versions
you
reported), even tried also 2.2.27 from backports and all worked ok, so
there seems to be nothing wrong with both software at all, just some
little thing in the configuration...
Tomas
On 03/20/2017 02:04 PM, i...@gwarband.de wrote:
I've tested your soulution, but it also says the same error.
I've tested all combinations of:
- tls_ca_cert_file = <cert>
- tls = yes
- tls_require_cert = demand
Every time it says "Connection error".
Only when tls is uncommented it says "TLS required".
Additional information from my contact with the openldap-technical
mailing list:
The ldapsearch under the user dovecot with -ZZ works fine.
And they mention that the ldap.conf and dovecot-ldap.conf should have
no
differences, that is correct no differences.
Here is a link to the ldap.conf
https://gwarband.de/openldap/ldap.conf
And the output of ldapsearch under dovecot:
https://gwarband.de/openldap/ldapsearch-dovecot.log
Tobias
Am 2017-03-20 11:00, schrieb Tomas Habarta:
I've finally managed that running on Debian 8 test machine by
commenting
tls_ca_cert_file =
option from dovecot-ldap.conf, so only
tls = yes
tls_require_cert = demand
Not sure why is that as on my CentOS6 Dovecot works even with that
commented option. May be that CentOS and Debian uses different ldap
library or different versions or there's another peculiarity ...
Anyway, when tls_require_cert = demand is set, cite:
--
With a setting of demand the certificate is requested and a valid
certificate must be provided, otherwise the session is immediately
terminated.
--
As that option doesn't provide any source, it is taken from
/etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot
client
times out on validating provided certificate with
imap-login: Error: Timeout waiting for handshake from auth server.
imap-login: Disconnected: Auth process broken (disconnected before
auth
was ready, waited 30 secs)
Tomas
On 03/18/2017 02:22 PM, i...@gwarband.de wrote:
The serverlog of openldap with loglevel "any":
https://gwarband.de/openldap/openldap-connect.log
Note: openldap waits 1 Minute before he says "TLS negotiation
failure"
after the connect.
and dovecot says direct "Connect error"
I've also delete the TLSCipherSuite from openldap.
Tobias
Am 2017-03-18 14:01, schrieb Tomas Habarta:
Increase log level on server side as well to see what the server
says...
You may remove anything in TLSCipherSuite for the purpose of
testing
too.
Hopefully anyone knowing OpenLDAP internals could help you analyse
it
more deeply.
Tomas
On 03/18/2017 01:31 PM, i...@gwarband.de wrote:
I've replicate the settings from ldapsearch to dovecot but no
success.
To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and
dovecot
has read access to that file.
I have enabled the debugging in dovecot and have uploaded the
output:
https://gwarband.de/openldap/dovecot-connect.log
And the other site with ldapsearch:
https://gwarband.de/openldap/ldapsearch-connect.log
I'm pretty sure that there is a problem with the sslhandshaking
between
openldap and dovecot, but I can't find the source of the problem.
One of the steps in the sslhandshaking is not success but in the
debugging output I can't find any line with a hit to it.
Tobias
Am 2017-03-18 12:30, schrieb Tomas Habarta:
Well, if ldapsearch works, try to replicate its settings for
dovecot
client.
It's not obvious what settings ldapsearch uses, have a look at
default
client settings in /etc/openldap/ldap.conf, there may be
something
set a
slightly different way.
Also double check permissions for files used by dovecot, I mean
mainly
the file listed for tls_ca_cert_file as dovecot may not have an
access
for reading...
I cannot see anything downright bad, just posted CA cert (which
is
ok,
tested) is *.crt and your config mentions *.pem but I consider
it's the
same file.
Finally, I would recommend to enable debug option for dovecot's
client
debug_level = -1 (which logs all available) in your
dovecot-ldap.conf
to see what the library reports and work further on that.
You can compare with output from ldapsearch by adding -d-1
switch to
it.
Hard to tell more at the moment.
Tomas
On 03/18/2017 09:41 AM, i...@gwarband.de wrote:
Hello,
I have also installed LE certs.
But nothing helps, I have double-checking all certs.
ldapsearch with -ZZ works see:
https://gwarband.de/openldap/ldapsearch.log
I have also uploaded the TLSCACertificateFile, maybe I have a
failure in
the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt
And also I have uploaded my complete openldap configuration:
https://gwarband.de/openldap/openldap.conf
All other components can work and communicate with my openldap
server.
The components are postfix, openxchange, apache (phpldapadmin).
My installated software is:
Debian 8
OpenLDAP 2.4.40
Dovecot 2.2.13
I hope you can find the issue.
Thanks,
Tobias
Am 2017-03-17 22:48, schrieb Tomas Habarta:
Hi,
been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally
over the
unix socket on the same machine, but tried over inet with
STARTTLS
and
it's working ok...
I would suggest double-checking key/certs setup on OpenLDAP
side; for
the test I have used LE certs, utilizing following cn=config
attributes:
olcTLSCertificateKeyFile contains private key
olcTLSCertificateFile contains certificate
olcTLSCACertificateFile contains both certs (DST Root
CA X3
and Let's Encrypt Authority X3)
and used the same CA file in Dovecot's tls_ca_cert_file
Is ldapsearch working ok (-ZZ) and only Dovecot has troubles
or
... ?
Hope that helps, good luck ;)
Tomas
On 03/17/2017 04:27 PM, i...@gwarband.de wrote:
Hello guys,
actually I'm trying to configure dovecot to access openldap
for
passwordcheck.
My openldap is only allow access over "secure ldap".
The dovecot can communicate with the openldap server but
there is
maybe
a failure in the sslhandshake.
Additional information you can find in the logs or in the
dump
below.
Also I have my ldap config from dovecot in the links below.
I have already created an bug reporting in the system of
openldap
but
the answer was to get support from her.
All datalinks:
https://gwarband.de/openldap/dovecot.log
https://gwarband.de/openldap/dovecot-ldap.conf
https://gwarband.de/openldap/openldap.log
https://gwarband.de/openldap/trace.dump
The bugreportinglink from openldap:
http://www.openldap.org/its/index.cgi/Incoming?id=8615
I hope you can help me.
Regards.
Tobias Warband