Hello.While investigating strange issue with exim, STARTTLS and LDAP, I have found, that lookups/ldap.c does not check returned value of ldap_start_tls_s(3) function. That is why, the error exim reports at debug is not at conformity with the actual situation. More than that, this is possible to specify exactly the problem, caused the error via ldap_get_option(3) for LDAP_OPT_DIAGNOSTIC_MESSAGE, e.g.:
----------------------------------------------------------------------------------ldap_start_tls_s() failed: Connect error, error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
----------------------------------------------------------------------------------I think that exim should check returned value by ldap_start_tls_s, as further calling of ldap_bind() returns inappropriate error. I have wrote small patch, which one change error reporting behaviour to be more expectable.
Debug output without patch: (exim -v -d+all -bh 8.8.8.8 -C ./configure) ----------------------------------------------------------------------------------20:19:52 81575 initialized for LDAP (v3) server rw2.devel.ldap.hostcomm.ru:389
20:19:52 81575 LDAP_OPT_X_TLS_TRY set20:19:52 81575 binding with user=uid=dbanschikov,ou=users,o=hc password=password
;; res_querydomain(rw2.devel.ldap.hostcomm.ru, <Nil>)
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 1)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
rw2.devel.ldap.hostcomm.ru. 3m26s IN A 10.14.10.186
ldap.hostcomm.ru. 3m26s IN NS dns.ovr.hc.ru.
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 28)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55716
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
ldap.hostcomm.ru. 3m26s IN SOA dns.ovr.hc.ru. support.hc.ru. (
2011082302 ; serial
3H ; refresh
1H ; retry
2D ; expiry
10M ) ; minimum
;; rcode = 0, ancount=0
20:19:52 81575 failed to bind the LDAP connection to server
rw2.devel.ldap.hostcomm.ru:389 - LDAP error: result retrieval failed
20:19:52 81575 lookup deferred: failed to bind the LDAP connection to
server rw2.devel.ldap.hostcomm.ru:389 - LDAP error: result retrieval failed
---------------------------------------------------------------------------------- Debug output with patch (exim -v -d+all -bh 8.8.8.8 -C ./configure) ----------------------------------------------------------------------------------20:23:18 83019 initialized for LDAP (v3) server rw2.devel.ldap.hostcomm.ru:389
20:23:18 83019 LDAP_OPT_X_TLS_TRY set20:23:18 83019 binding with user=uid=dbanschikov,ou=users,o=hc password=password
;; res_querydomain(rw2.devel.ldap.hostcomm.ru, <Nil>)
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 1)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40247
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
rw2.devel.ldap.hostcomm.ru. 5M IN A 10.14.10.186
ldap.hostcomm.ru. 5M IN NS dns.ovr.hc.ru.
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 28)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40248
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
ldap.hostcomm.ru. 5M IN SOA dns.ovr.hc.ru. support.hc.ru. (
2011082302 ; serial
3H ; refresh
1H ; retry
2D ; expiry
10M ) ; minimum
;; rcode = 0, ancount=0
20:23:18 83019 failed to initiate TLS processing on an LDAP session to
server rw2.devel.ldap.hostcomm.ru:389 - ldap_start_tls_s() returned -11:
Connect error
20:23:18 83019 lookup deferred: failed to initiate TLS processing on an
LDAP session to server rw2.devel.ldap.hostcomm.ru:389 -
ldap_start_tls_s() returned -11: Connect error
---------------------------------------------------------------------------------- -- Dmitry Banschikov
--- src/lookups/ldap.c.orig 2012-05-02 19:50:51.000000000 +0000
+++ src/lookups/ldap.c 2012-05-02 20:04:39.000000000 +0000
@@ -523,7 +523,12 @@
/* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */
if (eldap_start_tls)
{
- ldap_start_tls_s(lcp->ld, NULL, NULL);
+ if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) {
+ *errmsg = string_sprintf("failed to initiate TLS processing on an "
+ "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
+ " %s", host, porttext, rc, ldap_err2string(rc));
+ goto RETURN_ERROR;
+ }
}
#endif
if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
