Dovecot can't connect to openldap over starttls

Tomas Habarta lists+dovecot at tocc.cz
Sat Mar 18 13:30:45 EET 2017


Well, if ldapsearch works, try to replicate its settings for dovecot client.
It's not obvious what settings ldapsearch uses, have a look at default
client settings in /etc/openldap/ldap.conf, there may be something set a
slightly different way.
Also double check permissions for files used by dovecot, I mean mainly
the file listed for tls_ca_cert_file as dovecot may not have an access
for reading...

I cannot see anything downright bad, just posted CA cert (which is ok,
tested) is *.crt and your config mentions *.pem but I consider it's the
same file.

Finally, I would recommend to enable debug option for dovecot's client
	debug_level = -1 (which logs all available) in your dovecot-ldap.conf
to see what the library reports and work further on that.
You can compare with output from ldapsearch by adding -d-1 switch to it.

Hard to tell more at the moment.


Tomas

On 03/18/2017 09:41 AM, info at gwarband.de wrote:
> Hello,
> 
> I have also installed LE certs.
> But nothing helps, I have double-checking all certs.
> 
> ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log
> 
> I have also uploaded the TLSCACertificateFile, maybe I have a failure in
> the merge of the two fiels:
> https://gwarband.de/openldap/LetsEncrypt.crt
> 
> And also I have uploaded my complete openldap configuration:
> https://gwarband.de/openldap/openldap.conf
> 
> All other components can work and communicate with my openldap server.
> The components are postfix, openxchange, apache (phpldapadmin).
> 
> My installated software is:
> Debian 8
> OpenLDAP 2.4.40
> Dovecot 2.2.13
> 
> I hope you can find the issue.
> 
> Thanks,
> Tobias
> 
> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>> Hi,
>>
>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the
>> unix socket on the same machine, but tried over inet with STARTTLS and
>> it's working ok...
>>
>> I would suggest double-checking key/certs setup on OpenLDAP side; for
>> the test I have used LE certs, utilizing following cn=config attributes:
>>
>> olcTLSCertificateKeyFile    contains private key
>> olcTLSCertificateFile        contains certificate
>> olcTLSCACertificateFile        contains both certs (DST Root CA X3
>>                 and Let's Encrypt Authority X3)
>>
>> and used the same CA file in Dovecot's tls_ca_cert_file
>>
>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?
>>
>>
>>
>> Hope that helps, good luck ;)
>> Tomas
>>
>>
>> On 03/17/2017 04:27 PM, info at gwarband.de wrote:
>>> Hello guys,
>>>
>>> actually I'm trying to configure dovecot to access openldap for
>>> passwordcheck.
>>> My openldap is only allow access over "secure ldap".
>>> The dovecot can communicate with the openldap server but there is maybe
>>> a failure in the sslhandshake.
>>> Additional information you can find in the logs or in the dump below.
>>> Also I have my ldap config from dovecot in the links below.
>>>
>>> I have already created an bug reporting in the system of openldap but
>>> the answer was to get support from her.
>>>
>>> All datalinks:
>>> https://gwarband.de/openldap/dovecot.log
>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>> https://gwarband.de/openldap/openldap.log
>>> https://gwarband.de/openldap/trace.dump
>>>
>>> The bugreportinglink from openldap:
>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>
>>> I hope you can help me.
>>>
>>> Regards.
>>> Tobias Warband

-- 
toCc.cz


More information about the dovecot mailing list