On Wed, Feb 25, 2009 at 02:13:03PM -0600, Nick Geron wrote:
> The crt file may as well be named ldap13.pem If you're looking for the raw
> contents:
>
> smtp11 mail # su - postfix post...@smtp11 ~ $ ls -la
> /etc/postfix/ssl/
> total 20
> drwxr-xr-x 2 root root 4096 Feb 25 12:01 .
> drwxr-xr-x 5 root root 4096 Feb 25 12:04 ..
> -r--r--r-- 1 root root 918 Feb 24 15:59 ldap13.crt
> post...@smtp11 ~ $ cat /etc/postfix/ssl/ldap13.crt
> -----BEGIN CERTIFICATE-----
> MIICeTCCAeKgAwIBAgIESaRehjANBgkqhkiG9w0BAQUFADCBgDEeMBwGCSqGSIb3DQEJARYPZW5n
> QGNvcmVuYXAuY29tMRswGQYDVQQDExJsZGFwMTMuY29yZW5hcC5jb20xDDAKBgNVBAsTA0lEQzEW
> MBQGA1UEChMNQ29yZSBOQVAgTC5QLjEOMAwGA1UECBMFVGV4YXMxCzAJBgNVBAYTAlVTMB4XDTA5
> MDIyNDIwNTQzMFoXDTE0MDIyMzIwNTQzMFowgYAxHjAcBgkqhkiG9w0BCQEWD2VuZ0Bjb3JlbmFw
> LmNvbTEbMBkGA1UEAxMSbGRhcDEzLmNvcmVuYXAuY29tMQwwCgYDVQQLEwNJREMxFjAUBgNVBAoT
> DUNvcmUgTkFQIEwuUC4xDjAMBgNVBAgTBVRleGFzMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0B
> AQEFAAOBjQAwgYkCgYEAj6IX3Ms3OdSyOR+o1Ri9DovSI9pQPh2Lm28lxF5A8ZybgynjpLi44g1W
> eOHPba7MhlgfBD/CTQHy7zf+XB9sszQP/lmi969P2fRKFamFA4SERmBelNlUXTUAcZjnTfTQh7eS
> Iw5qtqgYA/ngv0M8NgQmxbpwUIelhNcOoEDJRjECAwEAATANBgkqhkiG9w0BAQUFAAOBgQATZLB6
> xHJlKVqaqBenQ4ojq/IJS+/fnE5/C0UR/KB7EBWNzasgLz3SgTeAZBGfGE3VldNsq+FL2ZB0Lpkr
> dqUGfhCNnQcjdqL2BnWl/5tlLKZd2LgdnwVmdZouG+aZMDIEDXd4lF4pwXulDoAwVgf/S4Q9WkVu
> +dmys253SMhEuw==
> -----END CERTIFICATE-----
Why does this self-signed cert lack a
X509v3 Basic Constraints:
CA:TRUE
extension?
> or alternatively, I have configured only the file with full path:
>
> tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
>
> The verification specified by LDAP_OPT_X_TLS_DEMAND, fails as it should
> without the CA. The problem as far as I see is that proxymap never
> attempts to open the specified file. For example, I was tracing master
> with the follow option in strace during the above. It opens pretty much
> everything related to ldap and ssl except the configured certificate.
>
> Here are some select files opened by proxymap:
> [pid 32474] open("/usr/lib/libldap-2.3.so.0", O_RDONLY) = 7
> [pid 32474] open("/usr/lib/liblber-2.3.so.0", O_RDONLY) = 7
> [pid 32474] open("/etc/postfix/main.cf", O_RDONLY) = 8
> [pid 32474] open("/etc/openldap/ldap.conf", O_RDONLY) = 8
What is in this file? I don't see postmap below using "ldap.conf". Do
you use LDAP in nsswitch.conf also? Perhaps postmap loads LDAP settings
from nsswitch.conf services that get in the way.
> [pid 32474] open("/etc/postfix/ldap/aliases.cf", O_RDONLY) = 10
> [pid 32474] open("/etc/postfix/ldap/domains.cf", O_RDONLY) = 10
>
>> This does not look like a CA cert file, it looks like the server cert
>> file.
>
> I have to defer to your judgment there, but I must re-assert that other
> programs are successfully using this certificate - including postmap. I'm
> uncertain if they (courier and cyrus) are verifying the chain, but that
> begs the question: Does postmap not verify when told to, and is that is why
> postmap works where proxymap does not?
It should have "basic Constranints" defined, but the issue is most likely
elsewhere.
> post...@smtp11 ~ $ cd /etc/postfix/ldap/
> post...@smtp11 /etc/postfix/ldap $ grep tls aliases.cf
> start_tls = yes
> tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
> tls_require_cert = yes
Perhaps ldap.conf overrides this in some fashion.
> Again, if proxymap is supposed to open read and close the file, that is not
> occurring according to strace output.
This is the problem you need to solve. Postfix passes this setting to LDAP,
the rest is up to LDAP.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[email protected]?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
