[exim-dev] [Bug 1382] ldap_require_cert has no effect

alxgomz Tue, 10 Sep 2013 00:36:37 -0700

------- You are receiving this mail because: -------
You are on the CC list for the bug.


http://bugs.exim.org/show_bug.cgi?id=1382




--- Comment #5 from alxgomz <[email protected]>  2013-09-10 01:01:09 ---
I have tried both patches but it doesn't fix the issue.
The debug still show "LDAP_OPT_X_TLS_TRY" regardless of the value of
ldap_require_cert = allow.

I have also tried the patch from the following page
https://gist.github.com/mrballcb/6501428, but that didn't help neither.

I have added a debug line before the ldap_start_tls_s line 534 in order to
check the options of the ldap connection:

...
 #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS)
 527     /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support
this.
 528      * Note: moreover, they appear to now define LDAP_OPT_X_TLS and still
not
 529      *       export an ldap_start_tls_s symbol.
 530      */
 531     int cert_option;
 532     ldap_get_option(lcp->ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
 533     debug_printf("trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = %d
\n", cert_option);
 534     if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS)
 535       {
 536       *errmsg = string_sprintf("failed to initiate TLS processing on an "
 537           "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
 538           " %s", host, porttext, rc, ldap_err2string(rc));
 539       goto RETURN_ERROR;
 540       }
...

It seems to be set properly (according to ldap.h) from the the config file as I
get :

00:31:37  6469 3 set for cert_option
00:31:37  6469 binding with user=uid=exim,dc=middle,dc=earth password=eximmta
00:31:37  6469 trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = 3 
00:31:37  6469 failed to initiate TLS processing on an LDAP session to server
ldap.middle.earth:389 - ldap_start_tls_s() returned -11: Connect error
00:31:37  6469 lookup deferred: failed to initiate TLS processing on an LDAP
session to server ldap.middle.earth:389 - ldap_start_tls_s() returned -11:
Connect error

But as you can see I still get a connection error and checking the network dump
I see I have the following TLS alert: "Unknown CA", which shouldn't happen with
ldap_require_cert set to allow.

I cannot exclude any set up error on my side, but again, I have dovecot happily
doing ldap TLS against the same LDAP server (so with the same self signed
certificate) with similar configuration (tls = yes tls_require_cert = allow).


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1382] ldap_require_cert has no effect

Reply via email to