Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta:> Hi, > > been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the > unix socket on the same machine, but tried over inet with STARTTLS and > it's working ok... > > I would suggest double-checking key/certs setup on OpenLDAP side; for > the test I have used LE certs, utilizing following cn=config > attributes: > > olcTLSCertificateKeyFile contains private key > olcTLSCertificateFile contains certificate > olcTLSCACertificateFile contains both certs (DST Root CA X3 > and Let's Encrypt Authority X3) > > and used the same CA file in Dovecot's tls_ca_cert_file > > Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? > > > > Hope that helps, good luck ;) > Tomas > > > On 03/17/2017 04:27 PM, info at gwarband.de wrote: >> Hello guys, >> >> actually I'm trying to configure dovecot to access openldap for >> passwordcheck. >> My openldap is only allow access over "secure ldap". >> The dovecot can communicate with the openldap server but there is >> maybe >> a failure in the sslhandshake. >> Additional information you can find in the logs or in the dump below. >> Also I have my ldap config from dovecot in the links below. >> >> I have already created an bug reporting in the system of openldap but >> the answer was to get support from her. >> >> All datalinks: >> https://gwarband.de/openldap/dovecot.log >> https://gwarband.de/openldap/dovecot-ldap.conf >> https://gwarband.de/openldap/openldap.log >> https://gwarband.de/openldap/trace.dump >> >> The bugreportinglink from openldap: >> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >> >> I hope you can help me. >> >> Regards. >> Tobias Warband
Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, info at gwarband.de wrote:> Hello, > > I have also installed LE certs. > But nothing helps, I have double-checking all certs. > > ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log > > I have also uploaded the TLSCACertificateFile, maybe I have a failure in > the merge of the two fiels: > https://gwarband.de/openldap/LetsEncrypt.crt > > And also I have uploaded my complete openldap configuration: > https://gwarband.de/openldap/openldap.conf > > All other components can work and communicate with my openldap server. > The components are postfix, openxchange, apache (phpldapadmin). > > My installated software is: > Debian 8 > OpenLDAP 2.4.40 > Dovecot 2.2.13 > > I hope you can find the issue. > > Thanks, > Tobias > > Am 2017-03-17 22:48, schrieb Tomas Habarta: >> Hi, >> >> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the >> unix socket on the same machine, but tried over inet with STARTTLS and >> it's working ok... >> >> I would suggest double-checking key/certs setup on OpenLDAP side; for >> the test I have used LE certs, utilizing following cn=config attributes: >> >> olcTLSCertificateKeyFile contains private key >> olcTLSCertificateFile contains certificate >> olcTLSCACertificateFile contains both certs (DST Root CA X3 >> and Let's Encrypt Authority X3) >> >> and used the same CA file in Dovecot's tls_ca_cert_file >> >> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? >> >> >> >> Hope that helps, good luck ;) >> Tomas >> >> >> On 03/17/2017 04:27 PM, info at gwarband.de wrote: >>> Hello guys, >>> >>> actually I'm trying to configure dovecot to access openldap for >>> passwordcheck. >>> My openldap is only allow access over "secure ldap". >>> The dovecot can communicate with the openldap server but there is maybe >>> a failure in the sslhandshake. >>> Additional information you can find in the logs or in the dump below. >>> Also I have my ldap config from dovecot in the links below. >>> >>> I have already created an bug reporting in the system of openldap but >>> the answer was to get support from her. >>> >>> All datalinks: >>> https://gwarband.de/openldap/dovecot.log >>> https://gwarband.de/openldap/dovecot-ldap.conf >>> https://gwarband.de/openldap/openldap.log >>> https://gwarband.de/openldap/trace.dump >>> >>> The bugreportinglink from openldap: >>> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >>> >>> I hope you can help me. >>> >>> Regards. >>> Tobias Warband-- toCc.cz
I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta:> Well, if ldapsearch works, try to replicate its settings for dovecot > client. > It's not obvious what settings ldapsearch uses, have a look at default > client settings in /etc/openldap/ldap.conf, there may be something set > a > slightly different way. > Also double check permissions for files used by dovecot, I mean mainly > the file listed for tls_ca_cert_file as dovecot may not have an access > for reading... > > I cannot see anything downright bad, just posted CA cert (which is ok, > tested) is *.crt and your config mentions *.pem but I consider it's > the > same file. > > Finally, I would recommend to enable debug option for dovecot's client > debug_level = -1 (which logs all available) in your dovecot-ldap.conf > to see what the library reports and work further on that. > You can compare with output from ldapsearch by adding -d-1 switch to > it. > > Hard to tell more at the moment. > > > Tomas > > On 03/18/2017 09:41 AM, info at gwarband.de wrote: >> Hello, >> >> I have also installed LE certs. >> But nothing helps, I have double-checking all certs. >> >> ldapsearch with -ZZ works see: >> https://gwarband.de/openldap/ldapsearch.log >> >> I have also uploaded the TLSCACertificateFile, maybe I have a failure >> in >> the merge of the two fiels: >> https://gwarband.de/openldap/LetsEncrypt.crt >> >> And also I have uploaded my complete openldap configuration: >> https://gwarband.de/openldap/openldap.conf >> >> All other components can work and communicate with my openldap >> server. >> The components are postfix, openxchange, apache (phpldapadmin). >> >> My installated software is: >> Debian 8 >> OpenLDAP 2.4.40 >> Dovecot 2.2.13 >> >> I hope you can find the issue. >> >> Thanks, >> Tobias >> >> Am 2017-03-17 22:48, schrieb Tomas Habarta: >>> Hi, >>> >>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over >>> the >>> unix socket on the same machine, but tried over inet with STARTTLS >>> and >>> it's working ok... >>> >>> I would suggest double-checking key/certs setup on OpenLDAP side; >>> for >>> the test I have used LE certs, utilizing following cn=config >>> attributes: >>> >>> olcTLSCertificateKeyFile contains private key >>> olcTLSCertificateFile contains certificate >>> olcTLSCACertificateFile contains both certs (DST Root CA X3 >>> and Let's Encrypt Authority X3) >>> >>> and used the same CA file in Dovecot's tls_ca_cert_file >>> >>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... >>> ? >>> >>> >>> >>> Hope that helps, good luck ;) >>> Tomas >>> >>> >>> On 03/17/2017 04:27 PM, info at gwarband.de wrote: >>>> Hello guys, >>>> >>>> actually I'm trying to configure dovecot to access openldap for >>>> passwordcheck. >>>> My openldap is only allow access over "secure ldap". >>>> The dovecot can communicate with the openldap server but there is >>>> maybe >>>> a failure in the sslhandshake. >>>> Additional information you can find in the logs or in the dump >>>> below. >>>> Also I have my ldap config from dovecot in the links below. >>>> >>>> I have already created an bug reporting in the system of openldap >>>> but >>>> the answer was to get support from her. >>>> >>>> All datalinks: >>>> https://gwarband.de/openldap/dovecot.log >>>> https://gwarband.de/openldap/dovecot-ldap.conf >>>> https://gwarband.de/openldap/openldap.log >>>> https://gwarband.de/openldap/trace.dump >>>> >>>> The bugreportinglink from openldap: >>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >>>> >>>> I hope you can help me. >>>> >>>> Regards. >>>> Tobias Warband