On 9/3/2010 4:29 PM, Patrick Ben Koetter wrote:
Postfix has full read on the certs. As a test to that I copied them to the postfix directory, chown'ed them to the postfix user, and re-tested. I still get the error from this command:* Seann<[email protected]>:On 9/3/2010 4:16 PM, Victor Duchovni wrote:On Fri, Sep 03, 2010 at 04:07:13PM -0500, Seann wrote:Enable LDAP debugging to see more logging. The OpenLDAP library will return this error when the peer certificate CommonName does not match the hostname you specify, but there could be other errors.When I use the LDAPS URI, I get this: Sep 2 09:46:55 server postfix/postmap[4659]: warning: dict_ldap_connect: Unable to bind to server ldaps://AD.domain.net:636 as CN=admin,CN=Users, DC=domain,DC=net: -1 (Can't contact LDAP server)Is anyone home on port 636? Does "openssl s_client" work?Yes, there is a listener on 636, as I use it for other LDAPS queries. I haven't a clue how to turn on debuging for LDAP, is it the same flags as the main postfix system debugging?http://www.postfix.org/ldap_table.5.html describes the "debuglevel" parameter. The value "2" seems to be a useful level of LDAP verbosity.Sorry, I went back and RTFM, and found that. "TLS certificate verification: Error, unable to get local issuer certificate" is my new debug error that I am using Google to find out best places to look. I have the site CA file listed in the config, etc, so I am not sure why I get this error.Is Postfix in a group that is allowed to access and read certs? In Debian/Ubuntu you would install ssl-cert and add Postfix to the ssl-cert group. p...@rick
postmap -q [email protected] ldap:/etc/postfix/ldap-users.cf The exact error is:postmap: dict_ldap_debug: TLS certificate verification: Error, unable to get local issuer certificate
postmap: dict_ldap_debug: tls_write: want=7, written=7postmap: dict_ldap_debug: 0000: 15 03 01 00 02 02 30 ......0
postmap: dict_ldap_debug: TLS: can't connect.postmap: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
smime.p7s
Description: S/MIME Cryptographic Signature
