Hello,
can anybody say something about my problem? The mails in the bottom are from my discuss with the dovecot maillist.
Thanks, Tobias
-------- Originalnachricht -------- Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-18 14:22 Absender: info@gwarband.de Empfänger: Tomas Habarta lists+dovecot@tocc.cz Kopie: dovecot@dovecot.org
The serverlog of openldap with loglevel "any": https://gwarband.de/openldap/openldap-connect.log Note: openldap waits 1 Minute before he says "TLS negotiation failure" after the connect. and dovecot says direct "Connect error"
I've also delete the TLSCipherSuite from openldap.
Tobias
Am 2017-03-18 14:01, schrieb Tomas Habarta:
Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, info@gwarband.de wrote:
I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta:
Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment.
Tomas On 03/18/2017 09:41 AM, info@gwarband.de wrote:
Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta:
Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFile contains private key olcTLSCertificateFile contains certificate olcTLSCACertificateFile contains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?
Hope that helps, good luck ;) Tomas
On 03/17/2017 04:27 PM, info@gwarband.de wrote:
Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Reformatted:
On 03/17/2017 04:27 PM, info@gwarband.de wrote:
Hello guys,
actually I'm trying to configure dovecot to access openldap for passwordcheck.
All datalinks:
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177) Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
uris = ldap://ldap.gwarband.de dn = cn=T000000002,ou=tech,dc=gwarband,dc=de dnpass = secret tls = yes tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem auth_bind = yes ldap_version = 3 base = dc=gwarband,dc=de scope = subtree user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail user_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de)) pass_attrs = email=user pass_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
Mar 11 10:48:38 s1 slapd[26962]: conn=1001 fd=14 ACCEPT from IP=188.68.37.50:60814 (IP=188.68.37.50:389)
Mar 11 10:48:38 s1 slapd[26962]: conn=1001 op=0 STARTTLS
Mar 11 10:48:38 s1 slapd[26962]: conn=1002 fd=15 ACCEPT from IP=188.68.37.50:60815 (IP=188.68.37.50:389)
Mar 11 10:48:38 s1 slapd[26962]: conn=1002 op=0 STARTTLS
Mar 11 10:49:42 s1 slapd[26962]: connection_get(14): got connid=1001 Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): checking for input on id=1001 Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): TLS accept failure error=-1 id=1001, closing
Mar 11 10:49:42 s1 slapd[26962]: connection_get(15): got connid=1002 Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): checking for input on id=1002 Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): TLS accept failure error=-1 id=1002, closing
Mar 11 10:49:42 s1 slapd[26962]: conn=1001 fd=14 closed (TLS negotiation failure) Mar 11 10:49:42 s1 slapd[26962]: conn=1002 fd=15 closed (TLS negotiation failure)
It appears that the client is sending an unbind request after the server sends a successful starttls response.
The bugreportinglink from openldap:
Am 2017-03-17 22:48, schrieb Tomas Habarta:
been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes:
olcTLSCertificateKeyFile contains private key olcTLSCertificateFile contains certificate olcTLSCACertificateFile contains both certs (DST Root CA X3 and Let's Encrypt Authority X3)
and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?
On 03/18/2017 09:41 AM, info@gwarband.de wrote:
I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see:
ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt
And also I have uploaded my complete openldap configuration:
# Certificate TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 TLSVerifyClient never
All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is:
Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13
Am 2017-03-18 12:30, schrieb Tomas Habarta:
Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client
debug_level = -1 (which logs all available) in your dovecot-ldap.conf
to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment.
What are the contents of /etc/ldap/ldap.conf?
On 03/18/2017 01:31 PM, info@gwarband.de wrote:
I've replicate the settings from ldapsearch to dovecot but no success.
To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output:
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_extended_operation_s Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_extended_operation
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_connect_to_host: TCP ldap.gwarband.de:389
Mar 18 12:43:31 s1 dovecot: auth: Error: connect success
Mar 18 12:43:31 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
And the other site with ldapsearch:
https://gwarband.de/openldap/ldapsearch-connect.log
I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it.
Am 2017-03-18 14:01, schrieb Tomas Habarta:
Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply.
Your ldapsearch command should reference your ldap.conf config (ldap.conf(5)), and your dovecot-ldap.conf (assuming that it uses libldap) will also, but overwrite any settings using dovecot-ldap.conf. Compare any differences.
Look for permissions problems. Run your ldapsearch command as the same user dovecot runs under.
Am 2017-03-19 01:09, schrieb Dan White:
Reformatted:
On 03/17/2017 04:27 PM, info@gwarband.de wrote: > Hello guys, > > actually I'm trying to configure dovecot to access openldap for > passwordcheck.
> All datalinks: > > https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177) Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
uris = ldap://ldap.gwarband.de dn = cn=T000000002,ou=tech,dc=gwarband,dc=de dnpass = secret tls = yes tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem auth_bind = yes ldap_version = 3 base = dc=gwarband,dc=de scope = subtree user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail user_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de)) pass_attrs = email=user pass_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
Mar 11 10:48:38 s1 slapd[26962]: conn=1001 fd=14 ACCEPT from IP=188.68.37.50:60814 (IP=188.68.37.50:389)
Mar 11 10:48:38 s1 slapd[26962]: conn=1001 op=0 STARTTLS
Mar 11 10:48:38 s1 slapd[26962]: conn=1002 fd=15 ACCEPT from IP=188.68.37.50:60815 (IP=188.68.37.50:389)
Mar 11 10:48:38 s1 slapd[26962]: conn=1002 op=0 STARTTLS
Mar 11 10:49:42 s1 slapd[26962]: connection_get(14): got connid=1001 Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): checking for input on id=1001 Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): TLS accept failure error=-1 id=1001, closing
Mar 11 10:49:42 s1 slapd[26962]: connection_get(15): got connid=1002 Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): checking for input on id=1002 Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): TLS accept failure error=-1 id=1002, closing
Mar 11 10:49:42 s1 slapd[26962]: conn=1001 fd=14 closed (TLS negotiation failure) Mar 11 10:49:42 s1 slapd[26962]: conn=1002 fd=15 closed (TLS negotiation failure)
It appears that the client is sending an unbind request after the server sends a successful starttls response.
> The bugreportinglink from openldap: > > http://www.openldap.org/its/index.cgi/Incoming?id=8615
Am 2017-03-17 22:48, schrieb Tomas Habarta:
been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes:
olcTLSCertificateKeyFile contains private key olcTLSCertificateFile contains certificate olcTLSCACertificateFile contains both certs (DST Root CA X3 and Let's Encrypt Authority X3)
and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?
On 03/18/2017 09:41 AM, info@gwarband.de wrote:
I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see:
ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt
And also I have uploaded my complete openldap configuration:
# Certificate TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 TLSVerifyClient never
All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is:
Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13
Am 2017-03-18 12:30, schrieb Tomas Habarta:
Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client
debug_level = -1 (which logs all available) in your dovecot-ldap.conf
to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment.
What are the contents of /etc/ldap/ldap.conf?
On 03/18/2017 01:31 PM, info@gwarband.de wrote:
I've replicate the settings from ldapsearch to dovecot but no success.
To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_extended_operation_s Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_extended_operation
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_connect_to_host: TCP ldap.gwarband.de:389
Mar 18 12:43:31 s1 dovecot: auth: Error: connect success
Mar 18 12:43:31 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it.
Am 2017-03-18 14:01, schrieb Tomas Habarta:
Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply.
Your ldapsearch command should reference your ldap.conf config (ldap.conf(5)), and your dovecot-ldap.conf (assuming that it uses libldap) will also, but overwrite any settings using dovecot-ldap.conf. Compare any differences.
Look for permissions problems. Run your ldapsearch command as the same user dovecot runs under.
The ldap.conf has no difference to the dovecot-ldap.conf. See: https://gwarband.de/openldap/ldap.conf The point "TLS_REQCERT" is in both confs "demand". I've changed it after that.
The ldapsearch command works also under the user "dovecot" See: https://gwarband.de/openldap/ldapsearch-dovecot.log
On 03/19/17 09:07 +0100, info@gwarband.de wrote:
Am 2017-03-19 01:09, schrieb Dan White:
>On 03/17/2017 04:27 PM, info@gwarband.de wrote: >> https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177) Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
uris = ldap://ldap.gwarband.de dn = cn=T000000002,ou=tech,dc=gwarband,dc=de dnpass = secret tls = yes tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem auth_bind = yes ldap_version = 3 base = dc=gwarband,dc=de scope = subtree user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail user_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de)) pass_attrs = email=user pass_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
# Certificate TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 TLSVerifyClient never
# Read slapd.conf(5) for possible values loglevel 256
There are more verbose options.
# Include ACLs include /etc/ldap/acl.conf
What are the contents of /etc/ldap/ldap.conf?
The ldap.conf has no difference to the dovecot-ldap.conf. See: https://gwarband.de/openldap/ldap.conf The point "TLS_REQCERT" is in both confs "demand". I've changed it after that.
The ldapsearch command works also under the user "dovecot" See: https://gwarband.de/openldap/ldapsearch-dovecot.log
~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
There is a difference in your binding DN.
Debug Dovecot's implementation of ldap_start_tls_s().
Am 2017-03-20 14:29, schrieb Dan White:
On 03/19/17 09:07 +0100, info@gwarband.de wrote:
Am 2017-03-19 01:09, schrieb Dan White:
>> On 03/17/2017 04:27 PM, info@gwarband.de wrote: >>> https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177) Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
uris = ldap://ldap.gwarband.de dn = cn=T000000002,ou=tech,dc=gwarband,dc=de dnpass = secret tls = yes tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem auth_bind = yes ldap_version = 3 base = dc=gwarband,dc=de scope = subtree user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail user_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de)) pass_attrs = email=user pass_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
# Certificate TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 TLSVerifyClient never
# Read slapd.conf(5) for possible values loglevel 256
There are more verbose options.
# Include ACLs include /etc/ldap/acl.conf
What are the contents of /etc/ldap/ldap.conf?
The ldap.conf has no difference to the dovecot-ldap.conf. See: https://gwarband.de/openldap/ldap.conf The point "TLS_REQCERT" is in both confs "demand". I've changed it after that.
The ldapsearch command works also under the user "dovecot" See: https://gwarband.de/openldap/ldapsearch-dovecot.log
~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
There is a difference in your binding DN.
Debug Dovecot's implementation of ldap_start_tls_s().
The loglevel was manually edited to -1 ("any") and the log shows the output of this loglevel.
Yes the binding DN is diffrent, but I have also tried the "cn=T000000002,ou=tech,dc=gwarband,dc=de" with no success.
I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log.
On 03/20/17 16:06 +0100, info@gwarband.de wrote:
I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log.
I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap.
Am 2017-03-20 16:18, schrieb Dan White:
On 03/20/17 16:06 +0100, info@gwarband.de wrote:
I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log.
I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap.
There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s.
I am not sure what debugging you could try further.
Aki
This was the answer of the dovecot mailing list. Maybe it would be possible that people from this mailinglist communicate directly with the dovecot mailinglist to find the soulution together and easier.
Thanks Tobias
Am Mon, 20 Mar 2017 19:16:49 +0100 schrieb info@gwarband.de:
Am 2017-03-20 16:18, schrieb Dan White:
On 03/20/17 16:06 +0100, info@gwarband.de wrote:
I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log.
I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap.
There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s.
I am not sure what debugging you could try further.
Aki
This was the answer of the dovecot mailing list. Maybe it would be possible that people from this mailinglist communicate directly with the dovecot mailinglist to find the soulution together and easier.
You may test and debug by means of OpenSSL s_client(1). The starttls and protocol options might provide some insight.
-Dieter
Am 2017-03-21 20:36, schrieb Dieter Klünter:
Am Mon, 20 Mar 2017 19:16:49 +0100 schrieb info@gwarband.de:
Am 2017-03-20 16:18, schrieb Dan White:
On 03/20/17 16:06 +0100, info@gwarband.de wrote:
I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log.
I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap.
There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s.
I am not sure what debugging you could try further.
Aki
This was the answer of the dovecot mailing list. Maybe it would be possible that people from this mailinglist communicate directly with the dovecot mailinglist to find the soulution together and easier.
You may test and debug by means of OpenSSL s_client(1). The starttls and protocol options might provide some insight.
-Dieter
I have found with the dovecot mailinglist the soulution. It was a permission problem because dovecot can't access the *.crt with the rights of a subgroup.
Thanks. Tobias
openldap-technical@openldap.org