Victor Duchovni wrote:
On Fri, Jun 26, 2009 at 02:12:12PM -0400, btb wrote:
testing with postmap returns:
postmap -q 'example.com' ldap:./virtual_mailbox_domains.cf
postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
context -1: Can't contact LDAP server
Have you tried with "start_tls = yes" instead of "ldaps"?
Have you tried "debuglevel = 1", to see more verbose OpenLDAP logging?
i hadn't tried start_tls. a test returns the same result. i did
experiment with various debug levels. -1 (in accordance with the openldap
lib docs) appears to return the most information, and is very verbose when
successful (e.g. ldap:), but only returns the following when ldaps: is
used:
ldap_create
ldap_url_parse_ext(ldaps://ldap.example.com)
ldap_err2string
postmap: warning: dict_ldap_set_tls_options: Unable to allocate new TLS
context -1: Can't contact LDAP server
Have you tried debuglevel = 2?
i hadn't. it doesn't return anything beyond the postmap warning itself.
i also experimented with increased verbosity for postmap, but it appeared
to not introduce any additional clues (i'll omit output unless it's
requested)
All the interesting behaviour is in the LDAP library, so this is not
surprising.
Are you using GnuTLS or OpenSSL?
postfix appears to be using openssl:
No, not Postfix, the LDAP library.
openldap appear to be using gnutls:
ldd /usr/sbin/slapd | egrep -i '(tls|ssl)'
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7d01000)
Not sure it is a good idea to mix both in the same address space...
I've only ever tested with LDAP over OpenSSL, not LDAP over GNUTLS.
you're likely right. one of the pitfalls of the world of packaging systems.
I don't see any code path in OpenLDAP 2.4.11 that wants a live server
connection for setting the per-connection TLS context. This call should
not be failing.
in the interest of full disclosure, this is one of those "it used to work"
scenarios. this had been a functioning setup for some time. breakage
followed a collection of updates to various packages that i had been
putting off.
Well, Postfix 2.6 is doing something new with LDAP, to prevent conflicts
with TLS policy in nsswitch modules, ...
>
The relevant Postfix code is only activated if compiled and used with
OpenLDAP 2.4 or later.
What exactly was working before and what did you change? You need
a version of the LDAP library with debugging symbols. Then single-step
"gdb" (debugging "postmap") through ldap_int_tls_init_ctx()
the contents of the lookup map in my initial message were what had been
working. postmap lookups along with postfix operation in generally were
successfully doing binds and searches against the same openldap server
that i'm now having trouble with (openldap and postfix are the same
computer, btw). for reference, initially they weren't, when i first
attempted to use ldaps. addition of the tls_ca_cert_file parameter
solved that problem at the time.
i unfortunately can't recall the previous versions of the various
software party to the topic, but i am certain that the upgrade included
postfix, openldap, openssl and gnutls.
i'll work on debugging postmap - thanks for the direction.
-ben
