On Fri, Jun 26, 2009 at 02:12:12PM -0400, btb wrote:
>>> testing with postmap returns:
>>>> postmap -q 'example.com' ldap:./virtual_mailbox_domains.cf
>>> postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
>>> context -1: Can't contact LDAP server
>> Have you tried with "start_tls = yes" instead of "ldaps"?
>> Have you tried "debuglevel = 1", to see more verbose OpenLDAP logging?
>
> i hadn't tried start_tls. a test returns the same result. i did
> experiment with various debug levels. -1 (in accordance with the openldap
> lib docs) appears to return the most information, and is very verbose when
> successful (e.g. ldap:), but only returns the following when ldaps: is
> used:
>
> ldap_create
> ldap_url_parse_ext(ldaps://ldap.example.com)
> ldap_err2string
> postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
> context -1: Can't contact LDAP server
Have you tried debuglevel = 2?
> i also experimented with increased verbosity for postmap, but it appeared
> to not introduce any additional clues (i'll omit output unless it's
> requested)
All the interesting behaviour is in the LDAP library, so this is not
surprising.
>> Are you using GnuTLS or OpenSSL?
>
> postfix appears to be using openssl:
No, not Postfix, the LDAP library.
> openldap appear to be using gnutls:
>
> >ldd /usr/sbin/slapd | egrep -i '(tls|ssl)'
> libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7d01000)
Not sure it is a good idea to mix both in the same address space...
I've only ever tested with LDAP over OpenSSL, not LDAP over GNUTLS.
>> I don't see any code path in OpenLDAP 2.4.11 that wants a live server
>> connection for setting the per-connection TLS context. This call should
>> not be failing.
>
> in the interest of full disclosure, this is one of those "it used to work"
> scenarios. this had been a functioning setup for some time. breakage
> followed a collection of updates to various packages that i had been
> putting off.
Well, Postfix 2.6 is doing something new with LDAP, to prevent conflicts
with TLS policy in nsswitch modules, ...
The relevant Postfix code is only activated if compiled and used with
OpenLDAP 2.4 or later.
What exactly was working before and what did you change? You need
a version of the LDAP library with debugging symbols. Then single-step
"gdb" (debugging "postmap") through ldap_int_tls_init_ctx()
called from ldap_pvt_tls_set_option().
----- openldap/libraries/libldap/tls.c line 332
case LDAP_OPT_X_TLS_NEWCTX:
if ( !arg ) return -1;
if ( lo->ldo_tls_ctx )
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
return ldap_int_tls_init_ctx( lo, *(int *)arg );
called from ldap_set_option()
----- openldap/libraries/libldap/options.c line 332
#ifdef HAVE_TLS
if ( ldap_pvt_tls_get_option( ld, option, outvalue ) == 0 ) {
return LDAP_OPT_SUCCESS;
}
#endif
called from dict_ldap_set_tls_options()
----- postfix/src/global/dict_ldap.c line 560 -----
#ifdef LDAP_OPT_X_TLS_NEWCTX
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server))
!= LDAP_SUCCESS) {
msg_warn("%s: Unable to allocate new TLS context %d: %s",
myname, rc, ldap_err2string(rc));
return (-1);
}
#endif
This code works with Postfix and OpenLDAP both using OpenSSL, I don't
have a GNUTLS build of OpenLDAP to test.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
