[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dovecot can't connect to openldap over starttls

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: Dovecot can't connect to openldap over starttls
From: info@gwarband.de
Date: Mon, 20 Mar 2017 16:06:54 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <20170320132833.wkagjxxsmh7r3yor@dan.olp.net>
References: <91e420e6bb8b706d414599ecd2ccb222@gwarband.de> <20170319000929.GA16309@dan.olp.net> <90af711d3cf7cf37aaeb7b83a44b15e0@gwarband.de> <20170320132833.wkagjxxsmh7r3yor@dan.olp.net>
User-agent: Roundcube Webmail/0.8.5

Am 2017-03-20 14:29, schrieb Dan White:

On 03/19/17 09:07 +0100, info@gwarband.de wrote:

Am 2017-03-19 01:09, schrieb Dan White:
On 03/17/2017 04:27 PM, info@gwarband.de wrote:
https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from/var/run/dovecot/auth-token-secret.datMar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s()failed: Connect errorMar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s()failed: Connect errorMar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected(pid=27177)Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no authattempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50,session=<gcDtzHFKbwCVrKuU>
https://gwarband.de/openldap/dovecot-ldap.conf
uris = ldap://ldap.gwarband.de
dn = cn=T000000002,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs =mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail
user_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
pass_attrs = email=user
pass_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
https://gwarband.de/openldap/openldap.conf
# Certificate
TLSCACertificateFile    /etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile  /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile   /etc/ssl/certs/gwarbandDE_LDAP.key
TLSCipherSuite
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin      3.1
TLSVerifyClient     never


# Read slapd.conf(5) for possible values
loglevel            256

There are more verbose options.

# Include ACLs
include         /etc/ldap/acl.conf

What are the contents of /etc/ldap/ldap.conf?


The ldap.conf has no difference to the dovecot-ldap.conf.
See: https://gwarband.de/openldap/ldap.conf

The point "TLS_REQCERT" is in both confs "demand". I've changed itafter that.


The ldapsearch command works also under the user "dovecot"
See: https://gwarband.de/openldap/ldapsearch-dovecot.log

~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"


There is a difference in your binding DN.

Debug Dovecot's implementation of ldap_start_tls_s().

The loglevel was manually edited to -1 ("any") and the log shows theoutput of this loglevel.

Yes the binding DN is diffrent, but I have also tried the"cn=T000000002,ou=tech,dc=gwarband,dc=de" with no success.

I don't have any idea how to set a higher debug level to dovecot. In myopinion I have the highest. So I can't deliver a greater log.

Follow-Ups:
- Re: Dovecot can't connect to openldap over starttls
  - From: Dan White <dwhite@cafedemocracy.org>

References:
- Dovecot can't connect to openldap over starttls
  - From: info@gwarband.de
- Re: Dovecot can't connect to openldap over starttls
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: Dovecot can't connect to openldap over starttls
  - From: info@gwarband.de
- Re: Dovecot can't connect to openldap over starttls
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: [LMDB] getting MDB_CORRUPTED when deleting within a DUPSORT database
Next by Date: Re: Dovecot can't connect to openldap over starttls
Index(es):
- Chronological
- Thread