Discussion:
[Dovecot] dovecot + ldap tls
aza zel
2007-05-22 18:54:22 UTC
Permalink
hi...
i trying to have a secure conetion between dovecot and directory server, but
i cant do it. The documentation are so poor (
http://wiki.dovecot.org/AuthDatabase/LDAP)
these are my configurations files:

(pre: i have a directory server accepting secure conections (port 389 via
TLS and port 636 via SSL).

File "/opt/csw/etc/dovecot-ldap.conf":

hosts=100.0.4.98
dn = cn=bindmailusers,cn=mailusers,dc=prueba,dc=uy
dnpass =passbindmailUsers
tls = yes
ldap_version = 3
base= cn=mailUsers,dc=prueba,dc=uy
deref = never
scope = subtree
user_attrs = uidnumber=uidnumber,
gidnumber=gidnumber,homedirectory=homedirectory, mailbox=mailbox
user_filter = (&(objectClass=mailaccount)(uid=%u)(disableimap=FALSE))
pass_attrs = uid=uid,userpassword=password
pass_filter= (&(objectClass=mailaccount)(uid=%u)(disableimap=FALSE))
default_pass_scheme = CRYPT
user_global_uid =12356
user_global_gid =12356

File "/opt/csw/etc/openldap/ldap.conf" (openldap client):

TLS_REQCERT allow
host 100.0.4.98
TLS_CACERT /opt/csw/etc/postfix/ldap-cert/cacert.pem

these are my log file:

# tail dovecot-log.log
:
:
dovecot: May 22 15:48:31 Error: auth(default): LDAP: ldap_start_tls_s()
failed: Can't contact LDAP server

any suggest :(
--
Salu2 ;)
Timo Sirainen
2007-05-23 10:58:14 UTC
Permalink
Post by aza zel
hi...
i trying to have a secure conetion between dovecot and directory server, but
i cant do it. The documentation are so poor (
http://wiki.dovecot.org/AuthDatabase/LDAP)
As it says there:

"FIXME: I'm not sure how the actual TLS configuration (certificates
etc.) can be done."

Once you get it working feel free to update the information. :)
Post by aza zel
dovecot: May 22 15:48:31 Error: auth(default): LDAP: ldap_start_tls_s()
failed: Can't contact LDAP server
Does it manage to get a TCP connection at all (check with eg. tcpdump),
or is the error message just bad?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070523/a5b3b6f4/attachment.bin
Timo Sirainen
2007-05-23 12:15:02 UTC
Permalink
Post by Timo Sirainen
Post by aza zel
dovecot: May 22 15:48:31 Error: auth(default): LDAP: ldap_start_tls_s()
failed: Can't contact LDAP server
Does it manage to get a TCP connection at all (check with eg. tcpdump),
or is the error message just bad?
I checked OpenLDAP's sources to see if there's any way to get usable
error messages. Looks like the only way is to compile it with debugging
enabled. Then it'll log everything to stderr.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070523/f525c5cb/attachment.bin
Loading...