On Tue, Mar 03, 2009 at 07:30:39PM -0500, Wietse Venema wrote:
> Victor Duchovni:
> > With OpenLDAP 2.4 it is possible to set the TLS properties for
> > a particular LDAP connection (not just global properties), and to
> > associate a new OpenLDAP managed TLS context for the connection via the
> >
Victor Duchovni:
> With OpenLDAP 2.4 it is possible to set the TLS properties for
> a particular LDAP connection (not just global properties), and to
> associate a new OpenLDAP managed TLS context for the connection via the
> new "LDAP_OPT_X_TLS_NEWCTX" option.
>
> Try this completely untested pat
On Fri, Feb 27, 2009 at 09:35:39AM -0800, Quanah Gibson-Mount wrote:
> If you are unable to test this patch at this time, I can do some testing on
> my systems using OpenLDAP 2.4.15 & Postfix 2.5.6.
The patch is working for me, please confirm that it is working for you
also. It is simple enough
On Fri, Feb 27, 2009 at 09:35:39AM -0800, Quanah Gibson-Mount wrote:
> --On Wednesday, February 25, 2009 7:12 PM -0500 Victor Duchovni
> wrote:
>
>
>> Note, the OpenLDAP API design issue is resolved with OpenLDAP 2.4.
>>
>> With OpenLDAP 2.4 it is possible to set the TLS properties for
>> a part
--On Wednesday, February 25, 2009 7:12 PM -0500 Victor Duchovni
wrote:
Note, the OpenLDAP API design issue is resolved with OpenLDAP 2.4.
With OpenLDAP 2.4 it is possible to set the TLS properties for
a particular LDAP connection (not just global properties), and to
associate a new OpenLDAP
On Wed, Feb 25, 2009 at 05:34:26PM -0600, Nick Geron wrote:
>> This is an OpenLDAP API design issue. The OpenLDAP library (at least up
>> to version 2.3) has a single global SSL_CTX object, that is initialized
>> just once by the first call that creates an SSL-protected LDAP connection.
>> All req
Victor Duchovni wrote:
On Wed, Feb 25, 2009 at 03:30:51PM -0600, Nick Geron wrote:
Well, I have found my problem. I probably should have mentioned earlier
(how many times has than appeared on this list?) that ldap is used on this
system for local user authentication, meaning pam/nss are ti
On Wed, Feb 25, 2009 at 03:30:51PM -0600, Nick Geron wrote:
> Well, I have found my problem. I probably should have mentioned earlier
> (how many times has than appeared on this list?) that ldap is used on this
> system for local user authentication, meaning pam/nss are tied into ldap.
> I no
Realized my error in logic there. smtpd worked regardless because it's
suppling to a client, not trying to verify anything like proxymap.
-Nick
However, the fact that smtpd never experienced the same clobbering as
proxymap still seems a bit odd. Any ideas why?
-Nick
Thanks again for the reply. I sent off my last post before reading this
one, and it looks like we came to the same conclusion that it was my
nsswitch/system ldap settings getting in the way.
I would be inclined to agree that the problem is in libldap or other
parts of openldap (there's a reas
Well, I have found my problem. I probably should have mentioned earlier
(how many times has than appeared on this list?) that ldap is used on
this system for local user authentication, meaning pam/nss are tied into
ldap. I noticed in traces that the system configs and certificates were
being
On Wed, Feb 25, 2009 at 02:13:03PM -0600, Nick Geron wrote:
> The crt file may as well be named ldap13.pem If you're looking for the raw
> contents:
>
> smtp11 mail # su - postfix post...@smtp11 ~ $ ls -la
> /etc/postfix/ssl/
> total 20
> drwxr-xr-x 2 root root 4096 Feb 25 12:01 .
> drwxr
How many Postfix installs have you had on the machine? Perhaps
different parts (proxymap, postmap) come from different versions.
Some maintainers have software installed in /usr/sbin etc., some
under /usr/local/sbin or even under /opt, and they all expect to
have main.cf in different placess.
If
--On Wednesday, February 25, 2009 2:23 PM -0600 Nick Geron
wrote:
Thanks for the replay Quanah. I agree. Unfortunately the root problem I
see is that proxymap is not reading the CA I'm trying to provide via the
tls_ca_cert_file (or dir) configuration in my alias map. Strace
demonstrates tha
Thanks for the replay Quanah. I agree. Unfortunately the root problem
I see is that proxymap is not reading the CA I'm trying to provide via
the tls_ca_cert_file (or dir) configuration in my alias map. Strace
demonstrates that postmap loads the CA and performs lookups over tls
fine, but prox
Victor Duchovni wrote:
On Wed, Feb 25, 2009 at 09:36:08AM -0600, Nick Geron wrote:
You only show a test running as root, not "postfix". What versions of
Postfix and OpenLDAP are these?
This question seemed pretty clear. The answer is relevant to the
discussion.
Answer below
Th
On Wed, Feb 25, 2009 at 09:36:08AM -0600, Nick Geron wrote:
>> You only show a test running as root, not "postfix". What versions of
>> Postfix and OpenLDAP are these?
This question seemed pretty clear. The answer is relevant to the
discussion.
> There was TLS API creep in OpenLDAP
>> between 2.
On Wed, Feb 25, 2009 at 11:59:43AM -0600, Nick Geron wrote:
>
> Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS trace:
> SSL_connect:SSLv3 read server hello A
> Feb 25 10:55:28 smtp11 postfix/proxymap[28531]: dict_ldap_debug: TLS
> certificate verification: depth: 0, err: 18
--On Wednesday, February 25, 2009 11:59 AM -0600 Nick Geron
wrote:
Just curious if anyone looked over my last email (with replies to
Victor's questions). I forgot to add a few answers. I'm running postfix
2.5.6, openldap 2.3.43 (libraries on postfix server) and openssl 0.9.8g.
On the ldap se
Just curious if anyone looked over my last email (with replies to
Victor's questions). I forgot to add a few answers. I'm running
postfix 2.5.6, openldap 2.3.43 (libraries on postfix server) and openssl
0.9.8g. On the ldap server I'm running openDS 1.2.
Also, I turned up debugging in the ma
Thanks for the reply, Victor.
Responses below. Please let me know if any additional output is needed,
or if I did something foolish ;)
Note: I cut out most of dict_eval verbose output as the list bot
rejected my first attempt to send due to length. If there are specific
log lines needed I can
Thanks for the reply. Yes, I have successfully used this cert with
openldap programs - ldapsearch. I've tried both specifying a ca cert
directory and cert file. In fact, all programs I can test with work
except for the code around dict_ldap as far as I can tell. That
includes openDS and o
On Tue, Feb 24, 2009 at 06:48:12PM -0600, Nick Geron wrote:
> So as root or my limited rights postfix user this works:
>
> #postmap -q j...@example.com ldap:/etc/postfix/ldap/aliases.cf
> j...@example.com
You only show a test running as root, not "postfix". What versions of
Postfix and OpenLDAP a
--On Tuesday, February 24, 2009 6:48 PM -0600 Nick Geron
wrote:
I'm in the process of putting together a postfix system with an ldap
back-end and have come
across something very odd regarding ldap_table. Basically, postfix does
not load my private CA.
The CA is really a self signed cert gene
24 matches
Mail list logo
