Dovecot not connecting to OpenLDAP

[Aki Tuomi]

On 16.5.2019 9.07, Steffen Kaiser via dovecot wrote:
> On Wed, 15 May 2019, Elias Falconi via dovecot wrote:
>
> > 2019-05-15 16:27:43 auth: Error: LDAP
> /etc/dovecot/dovecot-ldap.conf.ext:
> > ldap_start_tls_s() failed: Can't contact LDAP server
> > 2019-05-15 16:39:36 auth: Error: LDAP
> /etc/dovecot/dovecot-ldap.conf.ext:
> > ldap_start_tls_s() failed: Connect error
> > 2019-05-15 16:39:43 auth: Error: LDAP
> /etc/dovecot/dovecot-ldap.conf.ext:
> > ldap_start_tls_s() failed: Local error
>
> > # Space separated list of LDAP hosts to use. host:port is allowed too.
> > hosts = 139.147.9.135
>
> > # Use TLS to connect to the LDAP server.
> > tls = yes
> > # TLS options, currently supported only with OpenLDAP:
> > #tls_ca_cert_file =/etc/ssl/certs/ldap.crt
> > tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem
>
> > # is still used, only the password field is ignored in it. Before
> doing any
> > # search, the binding is switched back to the default DN.
> > auth_bind = yes
>
> > # For example:
> > #   auth_bind_userdn = cn=%u,ou=people,o=org
> > #
> > #auth_bind_userdn =
>
>
> are you sure these settings fit each other?
>
> a) IP address, but force tls with cert
> -> is the IP address part of the alternate subjects of the cert?
>
> you seem to use STARTTLS
> https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-sasl.html
>
> b) once you've sorted TLS out looks like auth_bind conflicts with
> auth_bind_userdn
>
>
> -- Steffen Kaiser


Also, can you try if setting

blocking=yes

in LDAP configuration helps?


fwiw we have seen this with some customers too but unfortunately it's
OpenLDAP issue which we can't really do much anything about.


Aki



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190516/fd4d3069/attachment.sig>