On 03/19/17 09:07 +0100, [email protected] wrote:
Am 2017-03-19 01:09, schrieb Dan White:
On 03/17/2017 04:27 PM, [email protected] wrote:
https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Connect error
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Connect error
Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177)
Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs):
user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
https://gwarband.de/openldap/dovecot-ldap.conf
uris = ldap://ldap.gwarband.de
dn = cn=T000000002,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs =
mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail
user_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
pass_attrs = email=user
pass_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
https://gwarband.de/openldap/openldap.conf
# Certificate
TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key
TLSCipherSuite
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin 3.1
TLSVerifyClient never
# Read slapd.conf(5) for possible values
loglevel 256
There are more verbose options.
# Include ACLs
include /etc/ldap/acl.conf
What are the contents of /etc/ldap/ldap.conf?
The ldap.conf has no difference to the dovecot-ldap.conf.
See: https://gwarband.de/openldap/ldap.conf
The point "TLS_REQCERT" is in both confs "demand". I've changed it
after that.
The ldapsearch command works also under the user "dovecot"
See: https://gwarband.de/openldap/ldapsearch-dovecot.log
~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
There is a difference in your binding DN.
Debug Dovecot's implementation of ldap_start_tls_s().
--
Dan White