So I recently converted my opensmtpd server to use ldap as the backend for user authentication. It seems it's a bit untolerant to ldap issues?
If the ldap server isn't available when opensmtpd is started, it says it started: # /etc/rc.d/smtpd start smtpd(ok) But it isn't there: # ps -aux | grep smtpd root 89090 0.0 0.0 304 1208 p6 S+p 5:52PM 0:00.00 grep smtpd And it's not really obvious why: May 22 17:52:51 bart smtpd[46044]: info: OpenSMTPD 6.0.4 starting May 22 17:52:51 bart smtpd[23325]: warn: table-proc: pipe closed May 22 17:52:51 bart smtpd[23325]: lookup: table-proc: exiting May 22 17:52:51 bart smtpd[73239]: smtpd: process lka socket closed Starting in debug mode: # smtpd -d info: OpenSMTPD 6.0.4 starting users[43283]: debug: reading key "url" -> "ldap://localhost:3389"; users[43283]: debug: reading key "basedn" -> users[43283]: debug: reading key "username" -> users[43283]: debug: reading key "password" -> users[43283]: debug: reading key "credentials_filter" -> "(&(objectClass=uidObject)(uid=%s))" users[43283]: debug: parsing attribute "credentials_attributes" (2) -> "uid,description" users[43283]: debug: done reading config users[43283]: warn: aldap_parse users[43283]: fatal: failed to connect warn: table-proc: pipe closed lookup: table-proc: exiting smtpd: process lka socket closed You can see it looks like it fails to connect to the ldap server at startup and just dies. Further, if the ldap server is up at startup, but ever restarts or has the connection broken, authentication just fails: May 21 13:22:10 bart smtpd[42132]: warn: user credentials lookup fail for users:henson The opensmtpd process needs to be restarted before authentication works again. In debug mode, it shows: users[7295]: debug: table_ldap: ldap_query: filter=(&(objectClass=uidObject)(uid=henson)), ret=0 5e46e2fabbf8d72e smtp event=authentication user=henson address=134.71.249.41 host=134.71.249.41 result=permfail Is it expected that the ldap support is currently not production ready? I see in a presentation from back in 2013 that ldap was classified experimental at the time, but it's not clear if that's still the case. I see in the repo at https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/tables/table-ldap/table_ldap.c there's a change to add ldap reconnection support: https://github.com/OpenSMTPD/OpenSMTPD-extras/commit/04e4c521b34d1987af915ff97dcb0d87daf122b0#diff-369c0fcbfbc85bf2cdad7dba1131b872 but it's dated 7/27/2017, and the last github release seems to be 201601072302 (although the openbsd port appears to be 201703132115, I guess it's not downloading it from github?). It looks like the code in head still fails to start if the ldap server isn't available when opensmtpd is started though. Is anybody using opensmtpd with ldap in production? If so, how are you working around this issue? Thanks...
