Dovecot can't connect to openldap over starttls
info at gwarband.de
info at gwarband.de
Sat Mar 18 15:22:20 EET 2017
The serverlog of openldap with loglevel "any":
https://gwarband.de/openldap/openldap-connect.log
Note: openldap waits 1 Minute before he says "TLS negotiation failure"
after the connect.
and dovecot says direct "Connect error"
I've also delete the TLSCipherSuite from openldap.
Tobias
Am 2017-03-18 14:01, schrieb Tomas Habarta:
> Increase log level on server side as well to see what the server
> says...
> You may remove anything in TLSCipherSuite for the purpose of testing
> too.
>
> Hopefully anyone knowing OpenLDAP internals could help you analyse it
> more deeply.
>
> Tomas
>
> On 03/18/2017 01:31 PM, info at gwarband.de wrote:
>> I've replicate the settings from ldapsearch to dovecot but no
>> success.
>> To the certificate:
>> Yes it's a *.crt file but I have linked the *.pem file to it and
>> dovecot
>> has read access to that file.
>>
>> I have enabled the debugging in dovecot and have uploaded the output:
>> https://gwarband.de/openldap/dovecot-connect.log
>>
>> And the other site with ldapsearch:
>> https://gwarband.de/openldap/ldapsearch-connect.log
>>
>> I'm pretty sure that there is a problem with the sslhandshaking
>> between
>> openldap and dovecot, but I can't find the source of the problem.
>>
>> One of the steps in the sslhandshaking is not success but in the
>> debugging output I can't find any line with a hit to it.
>>
>> Tobias
>>
>> Am 2017-03-18 12:30, schrieb Tomas Habarta:
>>> Well, if ldapsearch works, try to replicate its settings for dovecot
>>> client.
>>> It's not obvious what settings ldapsearch uses, have a look at
>>> default
>>> client settings in /etc/openldap/ldap.conf, there may be something
>>> set a
>>> slightly different way.
>>> Also double check permissions for files used by dovecot, I mean
>>> mainly
>>> the file listed for tls_ca_cert_file as dovecot may not have an
>>> access
>>> for reading...
>>>
>>> I cannot see anything downright bad, just posted CA cert (which is
>>> ok,
>>> tested) is *.crt and your config mentions *.pem but I consider it's
>>> the
>>> same file.
>>>
>>> Finally, I would recommend to enable debug option for dovecot's
>>> client
>>> debug_level = -1 (which logs all available) in your
>>> dovecot-ldap.conf
>>> to see what the library reports and work further on that.
>>> You can compare with output from ldapsearch by adding -d-1 switch to
>>> it.
>>>
>>> Hard to tell more at the moment.
>>>
>>>
>>> Tomas
>>>
>>> On 03/18/2017 09:41 AM, info at gwarband.de wrote:
>>>> Hello,
>>>>
>>>> I have also installed LE certs.
>>>> But nothing helps, I have double-checking all certs.
>>>>
>>>> ldapsearch with -ZZ works see:
>>>> https://gwarband.de/openldap/ldapsearch.log
>>>>
>>>> I have also uploaded the TLSCACertificateFile, maybe I have a
>>>> failure in
>>>> the merge of the two fiels:
>>>> https://gwarband.de/openldap/LetsEncrypt.crt
>>>>
>>>> And also I have uploaded my complete openldap configuration:
>>>> https://gwarband.de/openldap/openldap.conf
>>>>
>>>> All other components can work and communicate with my openldap
>>>> server.
>>>> The components are postfix, openxchange, apache (phpldapadmin).
>>>>
>>>> My installated software is:
>>>> Debian 8
>>>> OpenLDAP 2.4.40
>>>> Dovecot 2.2.13
>>>>
>>>> I hope you can find the issue.
>>>>
>>>> Thanks,
>>>> Tobias
>>>>
>>>> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>>>>> Hi,
>>>>>
>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over
>>>>> the
>>>>> unix socket on the same machine, but tried over inet with STARTTLS
>>>>> and
>>>>> it's working ok...
>>>>>
>>>>> I would suggest double-checking key/certs setup on OpenLDAP side;
>>>>> for
>>>>> the test I have used LE certs, utilizing following cn=config
>>>>> attributes:
>>>>>
>>>>> olcTLSCertificateKeyFile contains private key
>>>>> olcTLSCertificateFile contains certificate
>>>>> olcTLSCACertificateFile contains both certs (DST Root CA X3
>>>>> and Let's Encrypt Authority X3)
>>>>>
>>>>> and used the same CA file in Dovecot's tls_ca_cert_file
>>>>>
>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or
>>>>> ... ?
>>>>>
>>>>>
>>>>>
>>>>> Hope that helps, good luck ;)
>>>>> Tomas
>>>>>
>>>>>
>>>>> On 03/17/2017 04:27 PM, info at gwarband.de wrote:
>>>>>> Hello guys,
>>>>>>
>>>>>> actually I'm trying to configure dovecot to access openldap for
>>>>>> passwordcheck.
>>>>>> My openldap is only allow access over "secure ldap".
>>>>>> The dovecot can communicate with the openldap server but there is
>>>>>> maybe
>>>>>> a failure in the sslhandshake.
>>>>>> Additional information you can find in the logs or in the dump
>>>>>> below.
>>>>>> Also I have my ldap config from dovecot in the links below.
>>>>>>
>>>>>> I have already created an bug reporting in the system of openldap
>>>>>> but
>>>>>> the answer was to get support from her.
>>>>>>
>>>>>> All datalinks:
>>>>>> https://gwarband.de/openldap/dovecot.log
>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>>>>> https://gwarband.de/openldap/openldap.log
>>>>>> https://gwarband.de/openldap/trace.dump
>>>>>>
>>>>>> The bugreportinglink from openldap:
>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>>>>
>>>>>> I hope you can help me.
>>>>>>
>>>>>> Regards.
>>>>>> Tobias Warband
More information about the dovecot
mailing list