On Thu Jun 26, 2025 at 11:14 AM CEST, Aki Tuomi wrote:
>
[snip]
> The problem here is that the error is coming from your LDAP server. It does
> not want to do SASL EXTERNAL. Are you able to run your LDAP server in debug
> mode to see why it refuses this?
>
> Aki
Hello Aki,
I did that a number of times already, at various debug levels. In particular,
slapd does not refuse to do SASL external, because, as said, it flawlessly works
with the openldap tools (ldapwhoami, ldapsearch, ...) and Postfix, with the very
same setup. Same certificate, same SASL mech settings, I documented all that in
my very first email. So slapd is perfectly willing to do client certificate
based authentication.
I emailed a slapd log example previously, by the way, comparing ldadwhoami to
dovecot. Here it is again:
(1) successful connect with ldapwhoami (on host ldaptest)
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3
tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 2b ....+
tls_read: want=43, got=43
0000: 63 a8 39 c4 f1 0c 75 53 9b 2e a9 7b b3 24 84 62 c.9...uS...{.$.b
0010: bb 01 32 0a 88 9d 39 c2 2f 06 1b ab 0d 59 a1 3b ..2...9./....Y.;
0020: 9d 71 e6 f2 a1 c1 dc 09 cc 1a 51 .q........Q
ldap_read: want=8, got=8
0000: 30 18 02 01 01 60 13 02 0....`..
ldap_read: want=18, got=18
0000: 01 03 04 00 a3 0c 04 08 45 58 54 45 52 4e 41 4c ........EXTERNAL
0010: 04 00 ..
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable
conn=1000 op=0 BIND dn="" method=163
(2) unsuccessful connect with dovecot (on host ldaptest, same as above)
conn=1000 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3
tls_cipher=TLS_AES_256_GCM_SHA384
tls_read: want=5, got=5
0000: 17 03 03 00 18 .....
tls_read: want=24, got=24
0000: 9c 7b cf 62 bf 11 3e 0c 30 db cf 5c 53 97 80 69 .{.b..>.0..\S..i
0010: 9f 97 cc d8 bf 53 87 f9 .....S..
ldap_read: want=8, got=7
0000: 30 05 02 01 01 42 00 0....B.
tls_read: want=5, got=5
0000: 17 03 03 00 13 .....
tls_read: want=19, got=19
0000: 44 f5 34 d2 cf cb 6f 9a 9d c6 38 c3 f0 34 9a 13 D.4...o...8..4..
0010: 77 8a 24 w.$
ldap_read: want=8, got=0
conn=1000 op=0 UNBIND
Note that these are packet logs taken at the very same stage. In the first case
you see an 'EXTERNAL' reported by the function ldap_read, so I very strongly
assume that's a packet coming from the client. Meaning the client says 'I want
to do external'.
That very same announcement is missing in the second, the dovecot case. Dovecot
does not say 'I want to do external', is what I'm bound to understand looking at
those logs. And that's, presumably, where the problem lies.
slapd, I'm as good as certain, is not the problem here. All those programs -
openldap tools, Postfix, Dovecot - link against the very same ldap and sasl
libraries, is what I would think. Two out of three work. One does not.
Greetings, Bruno
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
