On 16.5.2019 9.07, Steffen Kaiser via dovecot wrote: > On Wed, 15 May 2019, Elias Falconi via dovecot wrote: > > > 2019-05-15 16:27:43 auth: Error: LDAP > /etc/dovecot/dovecot-ldap.conf.ext: > > ldap_start_tls_s() failed: Can't contact LDAP server > > 2019-05-15 16:39:36 auth: Error: LDAP > /etc/dovecot/dovecot-ldap.conf.ext: > > ldap_start_tls_s() failed: Connect error > > 2019-05-15 16:39:43 auth: Error: LDAP > /etc/dovecot/dovecot-ldap.conf.ext: > > ldap_start_tls_s() failed: Local error > > > # Space separated list of LDAP hosts to use. host:port is allowed too. > > hosts = 139.147.9.135 > > > # Use TLS to connect to the LDAP server. > > tls = yes > > # TLS options, currently supported only with OpenLDAP: > > #tls_ca_cert_file =/etc/ssl/certs/ldap.crt > > tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem > > > # is still used, only the password field is ignored in it. Before > doing any > > # search, the binding is switched back to the default DN. > > auth_bind = yes > > > # For example: > > # auth_bind_userdn = cn=%u,ou=people,o=org > > # > > #auth_bind_userdn = > > > are you sure these settings fit each other? > > a) IP address, but force tls with cert > -> is the IP address part of the alternate subjects of the cert? > > you seem to use STARTTLS > https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-sasl.html > > b) once you've sorted TLS out looks like auth_bind conflicts with > auth_bind_userdn > > > -- Steffen Kaiser
Also, can you try if setting blocking=yes in LDAP configuration helps? fwiw we have seen this with some customers too but unfortunately it's OpenLDAP issue which we can't really do much anything about. Aki
signature.asc
Description: OpenPGP digital signature