search for: tls_ca_cert_fil

I've tested your soulution, but it also says the same error. I've tested all combinations of: - tls_ca_cert_file = <cert> - tls = yes - tls_require_cert = demand Every time it says "Connection error". Only when tls is uncommented it says "TLS required". Additional information from my contact with the openldap-technical mailing list: The ldapsearch under the user d...

...a look at >>> default >>> client settings in /etc/openldap/ldap.conf, there may be something >>> set a >>> slightly different way. >>> Also double check permissions for files used by dovecot, I mean >>> mainly >>> the file listed for tls_ca_cert_file as dovecot may not have an >>> access >>> for reading... >>> >>> I cannot see anything downright bad, just posted CA cert (which is >>> ok, >>> tested) is *.crt and your config mentions *.pem but I consider it's >>> the >&gt...

Actually, I likely managed to replicate the problem itself. I've observed described behavior (timeout with connection error) only if Dovecot's tls_ca_cert_file provided either non-existent file or there was no read access to the existing file -- found during review after sending my last post as I run CentOS, not Debian and didn't adjust the path correctly (/etc/ldap vs. /etc/openldap) in dovecot-ldap.conf when setting that up. Anyway, ldapsearch use...

...>>> introspection_mode = post >>>> debug = yes >>>> rawlog_dir = /tmp/oauth2 >>>> #force_introspection = yes >>>> username_attribute = username >>>> #active_attribute = active >>>> #active_value = true >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem >>>> >>>> >>>> --------------- >>>> >>>> >&gt...

...ure Keycloak with nginx proxy and without it (access > > via port 8443) (in case the problem came from the ssl config on the > > keycloak server), but still the same error. > > > > If the bug is fixed, then could someone tell me what do I have to put in > > the option tls_ca_cert_file? > > > > I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I > > got from let's encrypt website (https://letsencrypt.org/certificates/ / > > tried ISRG Root X1 (self-signed) & Let?s Encrypt Authority X3 (IdenTrust > > cross-signed) & Let...

...rl = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem --------------- The debug log is showing now slightly different msg ex: Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b...

...cn=config > attributes: > > olcTLSCertificateKeyFile contains private key > olcTLSCertificateFile contains certificate > olcTLSCACertificateFile contains both certs (DST Root CA X3 > and Let's Encrypt Authority X3) > > and used the same CA file in Dovecot's tls_ca_cert_file > > Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? > > > > Hope that helps, good luck ;) > Tomas > > > On 03/17/2017 04:27 PM, info at gwarband.de wrote: >> Hello guys, >> >> actually I'm trying to configure dovecot...

...ient. > It's not obvious what settings ldapsearch uses, have a look at default > client settings in /etc/openldap/ldap.conf, there may be something set > a > slightly different way. > Also double check permissions for files used by dovecot, I mean mainly > the file listed for tls_ca_cert_file as dovecot may not have an access > for reading... > > I cannot see anything downright bad, just posted CA cert (which is ok, > tested) is *.crt and your config mentions *.pem but I consider it's > the > same file. > > Finally, I would recommend to enable debug optio...

...se. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id = # Use TLS to connect to the LDAP server. tls = yes # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file =/etc/ssl/certs/ldap.crt tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem #tls_ca_cert_dir =/etc/ssl/certs/ #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = /etc/ssl/certs/ldap01_slapd_cert.pem #tls_key_file = /etc/ssl/private/ldap01_s...

...let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error. If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file? I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let?s Encrypt Authority X3 (IdenTrust cross-signed) & Let?s Encrypt Authority X3 (Signed by ISRG Root X1))...

I've finally managed that running on Debian 8 test machine by commenting tls_ca_cert_file = option from dovecot-ldap.conf, so only tls = yes tls_require_cert = demand Not sure why is that as on my CentOS6 Dovecot works even with that commented option. May be that CentOS and Debian uses different ldap library or different versions or there's another peculiarity ... Anyway, when...

...st -u user.name the mailboxes are not listed and with -Dv i get "permission denied, no lookup rights". in my dovecot-ldap-userdb.conf.ext is hosts = ldap.server.example dn = cn=service_id,ou=mailserver,ou=system,ou=services,dc=server,dc=example dnpass = protectedpassword12345 tls = yes tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt tls_require_cert = demand ldap_version = 3 base = ou=users,dc=server,dc=example deref = always scope = subtree user_attrs = =home={ldap:dcMailMessageStore},system_groups_user=%u,allow_all_users=yes,=acl_groups=%{env:ACL_GROUPS} user_filter = (&(objectClass=...

...greater log. >> >> I recommend consulting Dovecot's advice on how to run a debugger, or >> dig >> into the code which calls libldap. > > Hi! > I just ran a quick test, and following things are needed: > > uris = ldap://ldap.host.com > tls = yes > tls_ca_cert_file = /path/to/cert-bundle.crt > > this has been tested with 2.2.28, and works just fine. Not sure why > you are having issues. > > Of course this could be anything between not finding compatible > ciphers to the LDAP server actually expecting client certificate, what > with the...

...-ldap.conf.ext: > ldap_start_tls_s() failed: Local error > > # Space separated list of LDAP hosts to use. host:port is allowed too. > hosts = 139.147.9.135 > > # Use TLS to connect to the LDAP server. > tls = yes > # TLS options, currently supported only with OpenLDAP: > #tls_ca_cert_file =/etc/ssl/certs/ldap.crt > tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem > # is still used, only the password field is ignored in it. Before doing any > # search, the binding is switched back to the default DN. > auth_bind = yes > > # For example: > # auth_bind_userdn =...

...ect > > > introspection_mode = post > > > debug = yes > > > rawlog_dir = /tmp/oauth2 > > > #force_introspection = yes > > > username_attribute = username > > > #active_attribute = active > > > #active_value = true > > > tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > > > tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > > > tls_key_file = /etc/pki/dovecot/private/dovecot.pem > > > > > > > > > --------------- > > > > > > > > > &g...

...ate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level =...

...ost > >>>> debug = yes > >>>> rawlog_dir = /tmp/oauth2 > >>>> #force_introspection = yes > >>>> username_attribute = username > >>>> #active_attribute = active > >>>> #active_value = true > >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem > >>>> > >>>> > >>>> --------------- > >>>>...

...a debugger, >>>> or >>>> dig >>>> into the code which calls libldap. >>> >>> Hi! >>> I just ran a quick test, and following things are needed: >>> >>> uris = ldap://ldap.host.com >>> tls = yes >>> tls_ca_cert_file = /path/to/cert-bundle.crt >>> >>> this has been tested with 2.2.28, and works just fine. Not sure why >>> you are having issues. >>> >>> Of course this could be anything between not finding compatible >>> ciphers to the LDAP server actually...

Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. -------- Originalnachricht -------- Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White <dwhite at cafedemocracy.org> Empf?nger: info at gwarband.de Kopie:

...ith nginx proxy and without it (access >>> via port 8443) (in case the problem came from the ssl config on the >>> keycloak server), but still the same error. >>> >>> If the bug is fixed, then could someone tell me what do I have to put in >>> the option tls_ca_cert_file? >>> >>> I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I >>> got from let's encrypt website (https://letsencrypt.org/certificates/ / >>> tried ISRG Root X1 (self-signed) & Let?s Encrypt Authority X3 (IdenTrust >>> cross-sig...