On Thu Jun 26, 2025 at 11:14 AM CEST, Aki Tuomi wrote:
[snip]
The problem here is that the error is coming from your LDAP server. It does not want to do SASL EXTERNAL. Are you able to run your LDAP server in debug mode to see why it refuses this?
Aki
Hello Aki,
I did that a number of times already, at various debug levels. In particular, slapd does not refuse to do SASL external, because, as said, it flawlessly works with the openldap tools (ldapwhoami, ldapsearch, ...) and Postfix, with the very same setup. Same certificate, same SASL mech settings, I documented all that in my very first email. So slapd is perfectly willing to do client certificate based authentication.
I emailed a slapd log example previously, by the way, comparing ldadwhoami to dovecot. Here it is again:
(1) successful connect with ldapwhoami (on host ldaptest)
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 2b ....+
tls_read: want=43, got=43
0000: 63 a8 39 c4 f1 0c 75 53 9b 2e a9 7b b3 24 84 62 c.9...uS...{.$.b
0010: bb 01 32 0a 88 9d 39 c2 2f 06 1b ab 0d 59 a1 3b ..2...9./....Y.;
0020: 9d 71 e6 f2 a1 c1 dc 09 cc 1a 51 .q........Q
ldap_read: want=8, got=8
0000: 30 18 02 01 01 60 13 02 0....`..
ldap_read: want=18, got=18
0000: 01 03 04 00 a3 0c 04 08 45 58 54 45 52 4e 41 4c ........EXTERNAL
0010: 04 00 ..
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable
conn=1000 op=0 BIND dn="" method=163
(2) unsuccessful connect with dovecot (on host ldaptest, same as above)
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 18 .....
tls_read: want=24, got=24
0000: 9c 7b cf 62 bf 11 3e 0c 30 db cf 5c 53 97 80 69 .{.b..>.0..\S..i
0010: 9f 97 cc d8 bf 53 87 f9 .....S..
ldap_read: want=8, got=7
0000: 30 05 02 01 01 42 00 0....B.
tls_read: want=5, got=5
0000: 17 03 03 00 13 .....
tls_read: want=19, got=19
0000: 44 f5 34 d2 cf cb 6f 9a 9d c6 38 c3 f0 34 9a 13 D.4...o...8..4..
0010: 77 8a 24 w.$
ldap_read: want=8, got=0
conn=1000 op=0 UNBIND
Note that these are packet logs taken at the very same stage. In the first case you see an 'EXTERNAL' reported by the function ldap_read, so I very strongly assume that's a packet coming from the client. Meaning the client says 'I want to do external'.
That very same announcement is missing in the second, the dovecot case. Dovecot does not say 'I want to do external', is what I'm bound to understand looking at those logs. And that's, presumably, where the problem lies.
slapd, I'm as good as certain, is not the problem here. All those programs - openldap tools, Postfix, Dovecot - link against the very same ldap and sasl libraries, is what I would think. Two out of three work. One does not.
Greetings, Bruno