On Wed, Feb 25, 2009 at 11:59:43AM -0600, Nick Geron wrote:
>
> Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS trace:
> SSL_connect:SSLv3 read server hello A
> Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS
> certificate verification: depth: 0, err: 18, subject:
> /[email protected]/CN=ldap13.example.com/OU=IDC/O=Example
> Co/ST=Texas/C=US,
> Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: issuer:
> /[email protected]/CN=ldap13.example.com/OU=IDC/O=Example
> Co/ST=Texas/C=US
> Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS
> certificate verification: Error, self signed certificate
>
> I've started looking at dict_ldap.c and postmap.c and openldap's tls.c and
> realize that, no, I am not a programmer.
> I assuming they both end up using dict_ldap. I've looked over the various
> error messages dict_ldap.c puts into the log when parsing tls_ca_cert_file
> and dir (ex: msg_warn statements while parsing the config file) and none
> appear in syslog. Indeed, proxymap verbose output shows it reading in the
> config entry:
>
> Feb 25 11:37:46 smtp11 postfix/proxymap[29694]: cfg_get_str:
> /etc/postfix/ldap/aliases.cf: tls_ca_cert_dir = /etc/postfix/ssl
Where is the proxymap "tls_ca_cert_file" setting? I thought your cert
was provided as a CAfile not a CApath. Is it a CA cert with
"basicConstraints: CA:true"?
> It also looks like dict_ldap.c is simply setting constants for use with
> libldap.so:
>
> if (*dict_ldap->tls_ca_cert_dir) {
> if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
> dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS)
> {
> msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
> myname, dict_ldap->tls_ca_cert_dir,
> rc, ldap_err2string(rc));
> return (-1);
> }
> }
Yes, LDAP TLS is implemented by OpenLDAP not Postfix.
> So I'm still a bit confused why postmap works and proxymap doesn't when
> neither reports it cannot set the cacert directory (or file if I use that
> config).
Do you have SELinux or AppArmor protecting any of the cert files from
use by "proxymap"? Is proxymap really not chrooted? Is "postmap -q"
really running with the same uid/gid as "proxymap"? Any LDAP related
differences in the environment? Try "postmap" with a clean environment.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[email protected]?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
