thr3ads.net - dovecot - Dovecot authentication hangs when ldap_start_tls_s() fails for invalid certificate [Nov 2020]

If this information is useful, please help other people find it:
Share via:

sebastiano degan

2020-Nov-19 10:55 UTC

Dovecot authentication hangs when ldap_start_tls_s() fails for invalid certificate

On a Debian10 I've installed postfix 3.4.14 and dovecot 2.3.4.1.
I've configured multiple passdb sources and I expect that if one fails
the other ones are tested.
This is usually the case, except when the failure is due to an invalid
certificate from the ldap server.
In that case all authentication attempts from that moment on will fail.

I've trimmed down the configuration as much as possible (see below),
and this is the syslog output of my tests:

TEST 1 - Everything is configured correctly:
   No output on syslog

TEST 2 - Wrong hostname as a ldap server:
  Auth attempt 1:
    Nov 19 11:25:29 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:29 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-userdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:29 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:35 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
  Auth attempt 2:
    Nov 19 11:25:57 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:59 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
  Auth attempt 3:
    Nov 19 11:26:28 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:26:30 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server

TEST 3 - Invalid certificate:
  Attempt 1:
    Nov 19 11:21:20 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed:
Connect error
    Nov 19 11:21:20 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-userdb.conf.ext: ldap_start_tls_s() failed:
Connect error
  No output on other attempts...


CONFIGURATION FILES:
______________________________________________________
auth.conf:

auth_mechanisms = plain login
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  default_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
}
______________________________________________________

______________________________________________________
dovecot-ldap-passdb.conf.ext:

tls = yes
hosts = DC1.fv.lan
base = ou=Frigoveneta,dc=fv,dc=lan
auth_bind = yes
auth_bind_userdn = %u
______________________________________________________

______________________________________________________
dovecot-ldap-userdb.conf.ext:

tls = yes
hosts = DC1.fv.lan
base = ou=Frigoveneta,dc=fv,dc=lan
dn = ##removed##
dnpass = ##removed##
user_filter = (&(userPrincipalName=%u))
______________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201119/a6a0bef9/attachment.html>

Reasonably Related Threads

Search for more maybe matching threads

dovecot - Nov 2020 - Dovecot authentication hangs when ldap_start_tls_s() fails for invalid certificate

Dovecot authentication hangs when ldap_start_tls_s() fails for invalid certificate

Reasonably Related Threads

Wisdom of the Ancients