* Seann <nombran...@tsukinokage.net>: > On 9/3/2010 4:16 PM, Victor Duchovni wrote: > >On Fri, Sep 03, 2010 at 04:07:13PM -0500, Seann wrote: > > > >>>Enable LDAP debugging to see more logging. The OpenLDAP library will > >>>return this error when the peer certificate CommonName does not match > >>>the hostname you specify, but there could be other errors. > >>> > >>>>When I use the LDAPS URI, I get this: > >>>> > >>>>Sep 2 09:46:55 server postfix/postmap[4659]: warning: dict_ldap_connect: > >>>>Unable to bind to server ldaps://AD.domain.net:636 as CN=admin,CN=Users, > >>>>DC=domain,DC=net: -1 (Can't contact LDAP server) > >>>Is anyone home on port 636? Does "openssl s_client" work? > >>> > >>Yes, there is a listener on 636, as I use it for other LDAPS queries. I > >>haven't a clue how to turn on debuging for LDAP, is it the same flags as > >>the main postfix system debugging? > >http://www.postfix.org/ldap_table.5.html describes the "debuglevel" > >parameter. The value "2" seems to be a useful level of LDAP verbosity. > > > Sorry, I went back and RTFM, and found that. "TLS certificate > verification: Error, unable to get local issuer certificate" is my > new debug error that I am using Google to find out best places to > look. I have the site CA file listed in the config, etc, so I am not > sure why I get this error.
Is Postfix in a group that is allowed to access and read certs? In Debian/Ubuntu you would install ssl-cert and add Postfix to the ssl-cert group. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
smime.p7s
Description: S/MIME cryptographic signature
