Victor Duchovni wrote:
On Fri, Jun 26, 2009 at 11:50:12AM -0400, btb wrote:
cat virtual_mailbox_domains.cf
version = 3
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
server_host = ldaps://ldap.example.com
bind_dn = cn=postfix,ou=services,ou=accounts,dc=example,dc=com
bind_pw = xxxxxxxxxxxxxx
search_base = ou=domains,ou=mail,dc=example,dc=com
query_filter = (&(objectClass=mailDomain)(host=%s)(description=virtual))
result_attribute = description
Is /etc/ssl/certs/ca-certificates.crt a PEM file?
i believe so. success with s_client along with file(8) appear to
confirm this:
>file /etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt: PEM certificate
it's a concatenation of all of the individual certs in /etc/ssl/certs.
the applicable cert in this particular case is the last one in the file.
testing with postmap returns:
postmap -q 'example.com' ldap:./virtual_mailbox_domains.cf
postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
context -1: Can't contact LDAP server
Have you tried with "start_tls = yes" instead of "ldaps"?
Have you tried "debuglevel = 1", to see more verbose OpenLDAP logging?
i hadn't tried start_tls. a test returns the same result. i did
experiment with various debug levels. -1 (in accordance with the
openldap lib docs) appears to return the most information, and is very
verbose when successful (e.g. ldap:), but only returns the following
when ldaps: is used:
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.com)
ldap_err2string
postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
context -1: Can't contact LDAP server
i also experimented with increased verbosity for postmap, but it
appeared to not introduce any additional clues (i'll omit output unless
it's requested)
Are you using GnuTLS or OpenSSL?
postfix appears to be using openssl:
>ldd /usr/sbin/postmap | egrep -i '(tls|ssl)'
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ec1000)
>ldd /usr/lib/postfix/smtpd | egrep -i '(tls|ssl)'
libpostfix-tls.so.1 => /usr/lib/libpostfix-tls.so.1 (0xb7f7c000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ed0000)
openldap appear to be using gnutls:
>ldd /usr/sbin/slapd | egrep -i '(tls|ssl)'
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7d01000)
I don't see any code path in OpenLDAP 2.4.11 that wants a live server
connection for setting the per-connection TLS context. This call should
not be failing.
in the interest of full disclosure, this is one of those "it used to
work" scenarios. this had been a functioning setup for some time.
breakage followed a collection of updates to various packages that i had
been putting off.
