On 16.5.2019 9.07, Steffen Kaiser via dovecot wrote:
On Wed, 15 May 2019, Elias Falconi via dovecot wrote:
2019-05-15 16:27:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Can't contact LDAP server 2019-05-15 16:39:36 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Connect error 2019-05-15 16:39:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Local error
Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = 139.147.9.135
Use TLS to connect to the LDAP server.
tls = yes
TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =/etc/ssl/certs/ldap.crt tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem
is still used, only the password field is ignored in it. Before
doing any
search, the binding is switched back to the default DN.
auth_bind = yes
For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#auth_bind_userdn =
are you sure these settings fit each other?
a) IP address, but force tls with cert -> is the IP address part of the alternate subjects of the cert?
you seem to use STARTTLS https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-...
b) once you've sorted TLS out looks like auth_bind conflicts with auth_bind_userdn
-- Steffen Kaiser
Also, can you try if setting
blocking=yes
in LDAP configuration helps?
fwiw we have seen this with some customers too but unfortunately it's OpenLDAP issue which we can't really do much anything about.
Aki