similar to: Samba with OpenLDAP: Failed to issue the StartTLS instruction: Connect error

Hi, recently I got my ldap server up an running and now I'd like to start to use it with our 600-user-300-windows-pc samba server. (Centos 5.4, samba-3.0.33-3.28, openldap-2.3.43, smbldap-tools-0.9.5-) So I started to read the samba how to, some books, a lot of postings and finaly tried first the smbldap-tools from idealx. After that I tried the Ldapsam:Editposix as this is the build in

> On March 20, 2017 at 5:28 PM info at gwarband.de wrote: > > > Can sombody say something about this request? > > This is an email from the openldap-technical mailinglist from openldap. > > Systemdetails are mention in the other email. > > -------- Originalnachricht -------- > Betreff: Re: Dovecot can't connect to openldap over starttls > Datum:

Well, those actually *reduce* the possible algorithms that can be used, so uncommenting those can make things worse. Anyways, your pcap seems incomplete, can you try again? Aki > On March 20, 2017 at 8:14 PM info at gwarband.de wrote: > > > I have also tested with 2.2.28 and this version has the same issue. > > The finding of compatible ciphers is not the problem because I

Did you do some succesful lookup with something there? I can see few failed attempts and one that seems to have worked just fine. As pointed out earlier, are you using security frameworks like SELinux or AppArmor? Also, can you provide namei -l /etc/ssl/certs/LetsEncrypt.pem The failed attempts are really short, indicating a VERY early problem with SSL handshake. Aki > On March 20, 2017 at

Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. -------- Originalnachricht -------- Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White <dwhite at cafedemocracy.org> Empf?nger: info at gwarband.de Kopie:

Could you copy LetsEncrypt.pem to a world-readable location, with world-readable rights, and see if this helps with your problem. I saw you tried with cat using su(do), but unfortunately supplementary groups are not always used with processes. Aki On 20.03.2017 23:09, info at gwarband.de wrote: > The one that works fine was my openxchange server, that loads contacts > from openldap. >

On Tue, Jan 05, 2016 at 05:35:21PM -0600, Graham Allan wrote: > I know this is something which should have a simple fix but I'm failing > to see it somehow. > > I'm moving samba service between a couple of FreeBSD systems (9.3 to > 10.2), and I'm stuck on getting samba on the new machine to connect to > our openldap server over ssl - frustrating since I've

Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFile contains private key olcTLSCertificateFile contains

On 01/06/2016 01:34 PM, Lee Brown wrote: > On Wed, Jan 6, 2016 at 10:36 AM, Graham Allan <allan at physics.umn.edu > <mailto:allan at physics.umn.edu>> wrote: > > On 01/06/2016 09:53 AM, Graham Allan wrote: > > > The packet dump is a good idea. I get the same failure using > straight > SSL to port 636, but wireshark might be able

On 1/5/2016 7:19 PM, Lee Brown wrote: > > A total guess would be to use either ldaps:// and don't bother with > start_tls, or add the :636 to the end of the ldap:// specification as it > seems to me that start_tls is pretty agnostic regarding whatever > protocol it works against (SMTP, LDAP, etc.). ie > > passdb backend = ldapsam:"ldaps://ldap-server-fqdn" >

On Tue, Jan 5, 2016 at 3:35 PM, Graham Allan <allan at physics.umn.edu> wrote: > I know this is something which should have a simple fix but I'm failing to > see it somehow. > > I'm moving samba service between a couple of FreeBSD systems (9.3 to > 10.2), and I'm stuck on getting samba on the new machine to connect to our > openldap server over ssl -

I have also tested with 2.2.28 and this version has the same issue. The finding of compatible ciphers is not the problem because I have uncommented the ldap entrys: TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 Maybe you have further ideas. Am 2017-03-20 17:42, schrieb Aki Tuomi: >> On March 20, 2017 at 5:28 PM

Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for

On Wed, Jan 6, 2016 at 12:56 PM, Graham Allan <allan at physics.umn.edu> wrote: > On 01/06/2016 01:34 PM, Lee Brown wrote: > >> On Wed, Jan 6, 2016 at 10:36 AM, Graham Allan <allan at physics.umn.edu >> <mailto:allan at physics.umn.edu>> wrote: >> >> On 01/06/2016 09:53 AM, Graham Allan wrote: >> >> >> The packet dump

Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I

Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, info at gwarband.de wrote: > I've replicate the settings from ldapsearch to dovecot but no success. > To the certificate: >

I have a new pcap from beginning to the end with openldap "TLS negoiation failed" https://gwarband.de/openldap/tracefile.dump The sourceports are 45376 and 45377 Tobias Am 2017-03-20 19:59, schrieb Aki Tuomi: > Well, those actually *reduce* the possible algorithms that can be > used, so uncommenting those can make things worse. > > Anyways, your pcap seems incomplete,

I've finally managed that running on Debian 8 test machine by commenting tls_ca_cert_file = option from dovecot-ldap.conf, so only tls = yes tls_require_cert = demand Not sure why is that as on my CentOS6 Dovecot works even with that commented option. May be that CentOS and Debian uses different ldap library or different versions or there's another peculiarity ... Anyway, when

On Wed, Jan 6, 2016 at 10:36 AM, Graham Allan <allan at physics.umn.edu> wrote: > On 01/06/2016 09:53 AM, Graham Allan wrote: > >> >> The packet dump is a good idea. I get the same failure using straight >> SSL to port 636, but wireshark might be able to decode any StartTLS >> negotiation attempt on the default port. Failing that I guess I'll >>

The one that works fine was my openxchange server, that loads contacts from openldap. In my opinion I don't have installed a security framework list SELinux or AppArmor. The output of namei -l /etc/ssl/certs/LetsEncrypt.pem f: /etc/ssl/certs/LetsEncrypt.pem drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root ssl drwxr-xr-x root root certs lrwxrwxrwx root