On Thu Jun 26, 2025 at 8:21 AM CEST, Aki Tuomi wrote:
On 26/06/2025 09:10 EEST Bruno Hertz via dovecot <dovecot@dovecot.org> wrote:
Hi all
I'm currently testing Dovecot 2.4, considering a migration from 2.3, and all works fine except authentication against LDAP (openldap slapd) with client certificates. Which I had no problem with on 2.3 for seven years or so.
[ .. snip .. ]
Thoughts?
Greetings, Bruno
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leae@dovecot.org
Dovecot uses openldap library, so it should respect what you have set in openldap config file. Can you run with ldap_debug_level = 9 to see if there is something that would explain this?
Aki
Hello Aki,
thanks for your reply. Did as you requested, and I hope something useful can be gleaned from it.
First, dovecot gives plenty of: dovecot: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS write client hello
Then, from slapd, TLS connection established: slapd[2439]: conn=1001 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Then, from dovecot, the handshake: dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write client hello dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server hello dovecot: auth: Error: TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
Then plenty of: dovecot: auth: Error: TLS trace: SSL_connect:error in SSLv3/TLS read server certificate request
Then, finally, we're coming to the point: dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server certificate request dovecot: auth: Error: TLS certificate verification: depth: 1, err: 0, subject: /O=Mydomain Internal/CN=Root CA, issuer: /O=Mydomain Internal/CN=Root CA dovecot: auth: Error: TLS certificate verification: depth: 0, err: 0, subject: /CN=*.mydomain.internal, issuer: /O=Mydomain Internal/CN=Root CA dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read server certificate dovecot: auth: Error: TLS trace: SSL_connect:TLSv1.3 read server certificate verify dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS read finished dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write change cipher spec dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write client certificate dovecot: auth: Error: TLS trace: SSL_connect:SSLv3/TLS write finished dovecot: auth: Error: ldap_int_sasl_open: host=ldaptest dovecot: auth: Error: ldap_msgfree dovecot: auth: Error: ldap_err2string dovecot: auth: Error: ldap(ldaps://localhost.mydomain.internal:636): binding failed (dn (none)): Unknown authentication method, SASL(-4): no mechanism available: dovecot: auth: Error: ldap_sasl_interactive_bind: user selected: external dovecot: auth: Error: ldap_int_sasl_bind: external dovecot: auth: Error: ldap_int_sasl_open: host=ldaptest dovecot: auth: Error: ldap_msgfree dovecot: auth: Error: ldap_err2string dovecot: auth: Error: ldap(ldaps://localhost.mydomain.internal:636): binding failed (dn (none)): Unknown authentication method, SASL(-4): no mechanism available: dovecot: imap-login : Login aborted: Logged out (auth service reported temporary failure, 1 attempts in 3 secs) (temp_fail): user=<testuser>, method=PLAIN, rip=192.168.0.2, lip=192.168.0.11, TLS, session=<606v3XM46t3AqAAC> dovecot: auth: Error: ldap_free_connection 1 1 dovecot: auth: Error: ldap_send_unbind dovecot: auth: Error: TLS trace: SSL3 alert write:warning:close notify dovecot: auth: Error: ldap_free_connection: actually freed
So it does connect, does say it writes the client certificate, but then I don't know how to read this.
For comparison the other end, slapd. First a simple ldapwhoami client connection, which succeeds:
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 2b ....+
tls_read: want=43, got=43
0000: 63 a8 39 c4 f1 0c 75 53 9b 2e a9 7b b3 24 84 62 c.9...uS...{.$.b
0010: bb 01 32 0a 88 9d 39 c2 2f 06 1b ab 0d 59 a1 3b ..2...9./....Y.;
0020: 9d 71 e6 f2 a1 c1 dc 09 cc 1a 51 .q........Q
ldap_read: want=8, got=8
0000: 30 18 02 01 01 60 13 02 0....`..
ldap_read: want=18, got=18
0000: 01 03 04 00 a3 0c 04 08 45 58 54 45 52 4e 41 4c ........EXTERNAL
0010: 04 00 ..
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable
conn=1000 op=0 BIND dn="" method=163
So there we see the EXTERNAL request and the successful bind.
Now the dovecot client connection:
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 18 .....
tls_read: want=24, got=24
0000: 9c 7b cf 62 bf 11 3e 0c 30 db cf 5c 53 97 80 69 .{.b..>.0..\S..i
0010: 9f 97 cc d8 bf 53 87 f9 .....S..
ldap_read: want=8, got=7
0000: 30 05 02 01 01 42 00 0....B.
tls_read: want=5, got=5
0000: 17 03 03 00 13 .....
tls_read: want=19, got=19
0000: 44 f5 34 d2 cf cb 6f 9a 9d c6 38 c3 f0 34 9a 13 D.4...o...8..4..
0010: 77 8a 24 w.$
ldap_read: want=8, got=0
conn=1000 op=0 UNBIND
No EXTERNAL request and unbind after some timeout. So something appears to go wrong with the SASL setup, but what exactly, and why?
Greeting, Bruno