Dovecot auth-ldap ignores tls_* settings when using ldaps://
Timo Sirainen
tss at iki.fi
Tue Oct 13 18:19:54 UTC 2015
On 08 Oct 2015, at 22:46, Heiko Schlittermann <hs at schlittermann.de> wrote:
>
> Hi,
>
> I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13
> there seems to be the same bug/feature).
>
> The userdb and passdb use LDAP. All further configuration is done in
> auth-ldap.conf.ext.
>
> uri = ldaps://<host>/
> # tls =
> tls_cert_file = /etc/ssl/certs/client-cert.pem
> tls_key_file = /etc/ssl/certs/client-key.file
>
> Dovecot ignores the tls_* options. If I use an ldap:// URI and
> switch on TLS using tls=yes it works as expected.
>
> But I do not see any reason why LDAPS should not read the tls_*
> settings.
I guess.
> This small patch solved it for me
>
> --- dovecot-2.2.9/src/auth/db-ldap.c 2013-11-24 14:37:39.000000000 +0100
> +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 21:24:47.051446465 +0200
> @@ -1043,7 +1043,7 @@
>
> static void db_ldap_set_tls_options(struct ldap_connection *conn)
> {
> - if (!conn->set.tls)
> + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0))
> return;
That's a bit ugly. I think also the URIs support multiple ones, so some ldap and some ldaps URLs could even be mixed, which of course would be quite ugly.. I think the fix is to just remove the if (tls)-check completely. I don't think setting those harms anything even if tls/ldaps isn't being used?
More information about the dovecot
mailing list