Well, I have found my problem. I probably should have mentioned earlier
(how many times has than appeared on this list?) that ldap is used on
this system for local user authentication, meaning pam/nss are tied into
ldap. I noticed in traces that the system configs and certificates were
being loaded/read by proxymap and wondered if proxymap was not resetting
the value of the ca cert or ca dir as one would expect after it reads in
the alias map config.
So I'm thinking now that some other portion of postfix is using system
commands like id or finger or some standard library calls that required
it to follow configuration from nsswitch.conf. So, it is evident now
that proxymap was setting the CA file or path to what it found in /etc
before even reading in the alias mapping (aliases.cf) containing the
ldap13.crt config.
I've spoken with one of our staff programmers and he seems to think this
is bad mojo - he thinks something is "non-reentrant." I'm too thinking
this isn't the best design, though I can't determine if it's a bug or
just a 'don't do that.' Regardless, since you mentioned taking language
for the next version docs, I would suggest a note to avoid conflicts
between pam_ldap/nss_ldap (using /etc/ldap.conf and /etc/nsswitch.conf)
and proxymap.
I say proxymap, because my TLS for SMTP AUTH works fine with or without
system ldap configs.
In other words, using the following configs:
postfix/main.cf: smtpd_tls_CAfile = /opt/etc/ca.crt
postfix/ldap/aliases.cf: tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
smtp11 etc # cat nsswitch.conf
passwd: files
shadow: files
group: files
#passwd: files ldap
#shadow: files ldap
#group: files ldap
works with BOTH smtpd AND proxymap tls enabled
But this:
smtp11 etc # cat nsswitch.conf
#passwd: files
#shadow: files
#group: files
passwd: files ldap
shadow: files ldap
group: files ldap
Works ONLY with smtpd.
Thanks for all your help. It is certainly appreciated. If this seems
like a simple bit of patching, I would love to know. It would save us
the trouble of having to write a custom patch to enable both ldap
alias/domain mappings and single sign-on for the admins.
-Nick Geron
Nick Geron wrote:
Victor Duchovni wrote:
On Wed, Feb 25, 2009 at 09:36:08AM -0600, Nick Geron wrote:
