(apologies if i'm reposting this. i forget i hadn't resubscribed before
sending initially)
hi-
i'm having some trouble using ldaps in a lookup map for
virtual_mailbox_domains (among others).
here's my lookup map:
>cat virtual_mailbox_domains.cf
version = 3
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
server_host = ldaps://ldap.example.com
bind_dn = cn=postfix,ou=services,ou=accounts,dc=example,dc=com
bind_pw = xxxxxxxxxxxxxx
search_base = ou=domains,ou=mail,dc=example,dc=com
query_filter = (&(objectClass=mailDomain)(host=%s)(description=virtual))
result_attribute = description
testing with postmap returns:
>postmap -q 'example.com' ldap:./virtual_mailbox_domains.cf
postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
context -1: Can't contact LDAP server
however, if i switch from ldaps:// to ldap://, it's successful.
the same ldaps query via ldapsearch (on the same computer as postmap)
appears to be successful:
>ldapsearch -LLLxP 3 -H 'ldaps://ldap.ltn.lvc.com' -D
'cn=postfix,ou=services,ou=accounts,dc=example,dc=com' -w
'xxxxxxxxxxxxx' -b 'dc=example,dc=com'
"(&(objectClass=mailDomain)(host=example.com)(description=virtual))"
description
dn: host=example.com,ou=domains,ou=mail,dc=example,dc=com
description: virtual
also - testing with s_client seems to indicate that the certificate file
/etc/ssl/certs/ca-certificates.crt is ok, as the return code is 0 (ok)
when using -CAfile and 21 (unable to verify the first certificate) when
not used (i'll spare the pages of s_client for the moment.)
what am i doing wrong?
postfix 2.6.2-RC1
openldap 2.4.11
debian testing
thanks
-ben
