On Thu Jun 26, 2025 at 8:21 AM CEST, Aki Tuomi wrote:
>
>> On 26/06/2025 09:10 EEST Bruno Hertz via dovecot <dovecot@dovecot.org> wrote:
>>
>>
>> Hi all
>>
>> I'm currently testing Dovecot 2.4, considering a migration from 2.3, and all
>> works fine except authentication against LDAP (openldap slapd) with client
>> certificates. Which I had no problem with on 2.3 for seven years or so.
>>
[ .. snip .. ]
>>
>> Thoughts?
>>
>> Greetings, Bruno
>> _______________________________________________
>> dovecot mailing list -- dovecot@dovecot.org
>> To unsubscribe send an email to dovecot-l...@dovecot.org
>
> Dovecot uses openldap library, so it should respect what you have set in
> openldap config file. Can you run with ldap_debug_level = 9 to see if there
> is something that would explain this?
>
> Aki
Hello Aki,
thanks for your reply. Did as you requested, and I hope something useful can be
gleaned from it.
First, dovecot gives plenty of:
dovecot: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS write client
hello
Then, from slapd, TLS connection established:
slapd[2439]: conn=1001 fd=18 TLS established tls_ssf=256 ssf=256
tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Then, from dovecot, the handshake:
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write client hello
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server hello
dovecot: auth: Error: TLS trace: SSL_connect:TLSv1.3 read encrypted
extensions
Then plenty of:
dovecot: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS read server
certificate request
Then, finally, we're coming to the point:
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server
certificate request
dovecot: auth: Error: TLS certificate verification: depth: 1, err: 0,
subject: /O=Mydomain Internal/CN=Root CA, issuer: /O=Mydomain Internal/CN=Root
CA
dovecot: auth: Error: TLS certificate verification: depth: 0, err: 0,
subject: /CN=*.mydomain.internal, issuer: /O=Mydomain Internal/CN=Root CA
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server
certificate
dovecot: auth: Error: TLS trace: SSL_connect:TLSv1.3 read server certificate
verify
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read finished
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write change cipher
spec
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write client
certificate
dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write finished
dovecot: auth: Error: ldap_int_sasl_open: host=ldaptest
dovecot: auth: Error: ldap_msgfree
dovecot: auth: Error: ldap_err2string
dovecot: auth: Error: ldap(ldaps://localhost.mydomain.internal:636): binding
failed (dn (none)): Unknown authentication method, SASL(-4): no mechanism
available:
dovecot: auth: Error: ldap_sasl_interactive_bind: user selected: external
dovecot: auth: Error: ldap_int_sasl_bind: external
dovecot: auth: Error: ldap_int_sasl_open: host=ldaptest
dovecot: auth: Error: ldap_msgfree
dovecot: auth: Error: ldap_err2string
dovecot: auth: Error: ldap(ldaps://localhost.mydomain.internal:636): binding
failed (dn (none)): Unknown authentication method, SASL(-4): no mechanism
available:
dovecot: imap-login : Login aborted: Logged out (auth service reported
temporary failure, 1 attempts in 3 secs) (temp_fail): user=<testuser>,
method=PLAIN, rip=192.168.0.2, lip=192.168.0.11, TLS, session=<606v3XM46t3AqAAC>
dovecot: auth: Error: ldap_free_connection 1 1
dovecot: auth: Error: ldap_send_unbind
dovecot: auth: Error: TLS trace: SSL3 alert write:warning:close notify
dovecot: auth: Error: ldap_free_connection: actually freed
So it does connect, does say it writes the client certificate, but
then I don't know how to read this.
For comparison the other end, slapd. First a simple ldapwhoami client
connection, which succeeds:
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3
tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 2b ....+
tls_read: want=43, got=43
0000: 63 a8 39 c4 f1 0c 75 53 9b 2e a9 7b b3 24 84 62 c.9...uS...{.$.b
0010: bb 01 32 0a 88 9d 39 c2 2f 06 1b ab 0d 59 a1 3b ..2...9./....Y.;
0020: 9d 71 e6 f2 a1 c1 dc 09 cc 1a 51 .q........Q
ldap_read: want=8, got=8
0000: 30 18 02 01 01 60 13 02 0....`..
ldap_read: want=18, got=18
0000: 01 03 04 00 a3 0c 04 08 45 58 54 45 52 4e 41 4c ........EXTERNAL
0010: 04 00 ..
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable
conn=1000 op=0 BIND dn="" method=163
So there we see the EXTERNAL request and the successful bind.
Now the dovecot client connection:
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3
tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 18 .....
tls_read: want=24, got=24
0000: 9c 7b cf 62 bf 11 3e 0c 30 db cf 5c 53 97 80 69 .{.b..>.0..\S..i
0010: 9f 97 cc d8 bf 53 87 f9 .....S..
ldap_read: want=8, got=7
0000: 30 05 02 01 01 42 00 0....B.
tls_read: want=5, got=5
0000: 17 03 03 00 13 .....
tls_read: want=19, got=19
0000: 44 f5 34 d2 cf cb 6f 9a 9d c6 38 c3 f0 34 9a 13 D.4...o...8..4..
0010: 77 8a 24 w.$
ldap_read: want=8, got=0
conn=1000 op=0 UNBIND
No EXTERNAL request and unbind after some timeout. So something
appears to go wrong with the SASL setup, but what exactly, and why?
Greeting, Bruno
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
