Hi Todd, Thanks for forwarding me this. This indeed looks like the right way to do things. I am just surprised this is not documented anywhere and nobody raised that when I asked on the openldap IRC channel. Nonethless, it works for me as well as using NULL as an ldap handle. I have no doubt this is a better approach (more modern let's say), than the one we chose previously, but my understanding is that it won't bring additional advantages as the ldap_require_cert exim option is global. Am I right? Or am i missing something? In any case, I don't have much time to test the patch has I am moving back to france right now, but for what I have tested, it doesn't break my setup (tested ldap lookup for rcpt to verification).
Regards, Alex. 2013/10/31 Todd Lyons <[email protected]>: > On Wed, Oct 30, 2013 at 7:02 AM, Heiko Schlichting > <[email protected]> wrote: >> Todd Lyons wrote: >>> > In exim 4.80.1: >>> > ldap_initialize with URL ldaps://ldap.example.org:636/ >>> > initialized for LDAP (v3) server ldap.example.org:636 >>> > LDAP_OPT_X_TLS_HARD set >> ldap.example.org:636 is self signed and localhost:8636 is not selfsigned. >> Usually in ~/.ldaprc >> TLS_REQCERT allow >> is set for this exim user. >> >>> > and exim 4.82: >>> > ldap_initialize with URL ldaps://ldap.example.org:636/ >>> > initialized for LDAP (v3) server ldap.example.org:636 >>> > Require certificate overrides LDAP_OPT_X_TLS option (0) > > We spent a little time offlist debugging and testing things. We got a > decent handle on the problem, though the cause of the problems was a > little unclear at first. We could see that setting options one way > worked for me, and the old way worked for him. > > Some very specific googling resulted in finding this OpenLDAP post: > http://www.openldap.org/lists/openldap-technical/201202/msg00463.html > ...which led to this post by Viktor on the Postfix mailing list: > http://www.mailinglistarchive.com/[email protected]/msg57688.html > > It seems Viktor had to slog through the same thing a few years back > when OpenLDAP changed the behavior of the client libraries from 2.3 to > 2.4. Once I saw his patch, it became clear why I was seeing the > inconsistent behavior, and I did roughly the same steps (#ifdef guards > a variable assignment at compile time based on what client libs > provide). > > I do expect it will be fixed by the patch to src/src/lookups/ldap.c in > the most recent commit in my testing tree [1]. It does "the right > thing" on my system with newer ldap client libs, and I'm awaiting > feedback from Heiko to see if it works on his system with older ldap > client libs. If anybody else is able to test this patch on a system > (any OS and openldap libs combo is great) against an actual ldap > server, I would be most appreciative. > > Alex, I cc'd you on this because I would like for you to verify, if at > all possible, that this patch does not break your system for which we > did the work on bug 1382 to fix the ldap_require_cert patching. > > ...Todd > > [1] > http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_set_ldap_options > > -- > The total budget at all receivers for solving senders' problems is $0. > If you want them to accept your mail and manage it the way you want, > send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
