On 03/19/17 09:07 +0100, info@gwarband.de wrote:
Am 2017-03-19 01:09, schrieb Dan White:
>On 03/17/2017 04:27 PM, info@gwarband.de wrote: >> https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177) Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
uris = ldap://ldap.gwarband.de dn = cn=T000000002,ou=tech,dc=gwarband,dc=de dnpass = secret tls = yes tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem auth_bind = yes ldap_version = 3 base = dc=gwarband,dc=de scope = subtree user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail user_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de)) pass_attrs = email=user pass_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
# Certificate TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 TLSVerifyClient never
# Read slapd.conf(5) for possible values loglevel 256
There are more verbose options.
# Include ACLs include /etc/ldap/acl.conf
What are the contents of /etc/ldap/ldap.conf?
The ldap.conf has no difference to the dovecot-ldap.conf. See: https://gwarband.de/openldap/ldap.conf The point "TLS_REQCERT" is in both confs "demand". I've changed it after that.
The ldapsearch command works also under the user "dovecot" See: https://gwarband.de/openldap/ldapsearch-dovecot.log
~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
There is a difference in your binding DN.
Debug Dovecot's implementation of ldap_start_tls_s().