Displaying 20 results from an estimated 1000 matches similar to: "Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]"
2017 Mar 20
2
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
I have also tested with 2.2.28 and this version has the same issue.
The finding of compatible ciphers is not the problem because I have
uncommented the ldap entrys:
TLSCipherSuite
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin 3.1
Maybe you have further ideas.
Am 2017-03-20 17:42, schrieb Aki Tuomi:
>> On March 20, 2017 at 5:28 PM
2017 Mar 20
2
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
I have a new pcap from beginning to the end with openldap "TLS
negoiation failed"
https://gwarband.de/openldap/tracefile.dump
The sourceports are 45376 and 45377
Tobias
Am 2017-03-20 19:59, schrieb Aki Tuomi:
> Well, those actually *reduce* the possible algorithms that can be
> used, so uncommenting those can make things worse.
>
> Anyways, your pcap seems incomplete,
2017 Mar 20
2
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
The one that works fine was my openxchange server, that loads contacts
from openldap.
In my opinion I don't have installed a security framework list SELinux
or AppArmor.
The output of namei -l /etc/ssl/certs/LetsEncrypt.pem
f: /etc/ssl/certs/LetsEncrypt.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwxr-xr-x root root certs
lrwxrwxrwx root
2017 Mar 20
0
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
Did you do some succesful lookup with something there? I can see few failed attempts and one that seems to have worked just fine.
As pointed out earlier, are you using security frameworks like SELinux or AppArmor? Also, can you provide namei -l /etc/ssl/certs/LetsEncrypt.pem
The failed attempts are really short, indicating a VERY early problem with SSL handshake.
Aki
> On March 20, 2017 at
2017 Mar 20
0
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
Well, those actually *reduce* the possible algorithms that can be used, so uncommenting those can make things worse.
Anyways, your pcap seems incomplete, can you try again?
Aki
> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
>
>
> I have also tested with 2.2.28 and this version has the same issue.
>
> The finding of compatible ciphers is not the problem because I
2017 Mar 20
0
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
> On March 20, 2017 at 5:28 PM info at gwarband.de wrote:
>
>
> Can sombody say something about this request?
>
> This is an email from the openldap-technical mailinglist from openldap.
>
> Systemdetails are mention in the other email.
>
> -------- Originalnachricht --------
> Betreff: Re: Dovecot can't connect to openldap over starttls
> Datum:
2017 Mar 21
0
Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
Could you copy LetsEncrypt.pem to a world-readable location, with
world-readable rights, and see if this helps with your problem. I saw
you tried with cat using su(do), but unfortunately supplementary groups
are not always used with processes.
Aki
On 20.03.2017 23:09, info at gwarband.de wrote:
> The one that works fine was my openxchange server, that loads contacts
> from openldap.
>
2017 Mar 18
2
Dovecot can't connect to openldap over starttls
Hello,
I have also installed LE certs.
But nothing helps, I have double-checking all certs.
ldapsearch with -ZZ works see:
https://gwarband.de/openldap/ldapsearch.log
I have also uploaded the TLSCACertificateFile, maybe I have a failure
in the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt
And also I have uploaded my complete openldap configuration:
2017 Mar 18
2
Dovecot can't connect to openldap over starttls
The serverlog of openldap with loglevel "any":
https://gwarband.de/openldap/openldap-connect.log
Note: openldap waits 1 Minute before he says "TLS negotiation failure"
after the connect.
and dovecot says direct "Connect error"
I've also delete the TLSCipherSuite from openldap.
Tobias
Am 2017-03-18 14:01, schrieb Tomas Habarta:
> Increase log level on server
2017 Mar 20
2
Dovecot can't connect to openldap over starttls
I've tested your soulution, but it also says the same error.
I've tested all combinations of:
- tls_ca_cert_file = <cert>
- tls = yes
- tls_require_cert = demand
Every time it says "Connection error".
Only when tls is uncommented it says "TLS required".
Additional information from my contact with the openldap-technical
mailing list:
The
2017 Mar 18
2
Dovecot can't connect to openldap over starttls
I've replicate the settings from ldapsearch to dovecot but no success.
To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and
dovecot has read access to that file.
I have enabled the debugging in dovecot and have uploaded the output:
https://gwarband.de/openldap/dovecot-connect.log
And the other site with ldapsearch:
2017 Mar 17
2
Dovecot can't connect to openldap over starttls
Hello guys,
actually I'm trying to configure dovecot to access openldap for
passwordcheck.
My openldap is only allow access over "secure ldap".
The dovecot can communicate with the openldap server but there is maybe
a failure in the sslhandshake.
Additional information you can find in the logs or in the dump below.
Also I have my ldap config from dovecot in the links below.
I
2017 Mar 18
0
Dovecot can't connect to openldap over starttls
Increase log level on server side as well to see what the server says...
You may remove anything in TLSCipherSuite for the purpose of testing too.
Hopefully anyone knowing OpenLDAP internals could help you analyse it
more deeply.
Tomas
On 03/18/2017 01:31 PM, info at gwarband.de wrote:
> I've replicate the settings from ldapsearch to dovecot but no success.
> To the certificate:
>
2017 Mar 20
0
Dovecot can't connect to openldap over starttls
I've finally managed that running on Debian 8 test machine by commenting
tls_ca_cert_file =
option from dovecot-ldap.conf, so only
tls = yes
tls_require_cert = demand
Not sure why is that as on my CentOS6 Dovecot works even with that
commented option. May be that CentOS and Debian uses different ldap
library or different versions or there's another peculiarity ...
Anyway, when
2017 Mar 18
0
Dovecot can't connect to openldap over starttls
Well, if ldapsearch works, try to replicate its settings for dovecot client.
It's not obvious what settings ldapsearch uses, have a look at default
client settings in /etc/openldap/ldap.conf, there may be something set a
slightly different way.
Also double check permissions for files used by dovecot, I mean mainly
the file listed for tls_ca_cert_file as dovecot may not have an access
for
2017 Mar 20
0
Dovecot can't connect to openldap over starttls
Actually, I likely managed to replicate the problem itself.
I've observed described behavior (timeout with connection error) only if
Dovecot's tls_ca_cert_file provided either non-existent file or there
was no read access to the existing file -- found during review after
sending my last post as I run CentOS, not Debian and didn't adjust the
path correctly (/etc/ldap vs. /etc/openldap)
2017 Mar 17
0
Dovecot can't connect to openldap over starttls
Hi,
been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the
unix socket on the same machine, but tried over inet with STARTTLS and
it's working ok...
I would suggest double-checking key/certs setup on OpenLDAP side; for
the test I have used LE certs, utilizing following cn=config attributes:
olcTLSCertificateKeyFile contains private key
olcTLSCertificateFile contains
2019 May 15
2
Dovecot not connecting to OpenLDAP
Hi,
We recently shutdown our old LDAP server and repointed our mail server
(dovecot + postfix) to our new LDAP server and ever since we've been unable
to fetch mail. Mail is getting delivered, but we just can't pop it. We're
using Ubuntu 16.04, btw.
We keep on getting the following error messages in /var/log/dovecote:
2019-05-15 16:27:43 auth: Error: LDAP
2016 Jan 06
3
Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
On Wed, Jan 6, 2016 at 10:36 AM, Graham Allan <allan at physics.umn.edu> wrote:
> On 01/06/2016 09:53 AM, Graham Allan wrote:
>
>>
>> The packet dump is a good idea. I get the same failure using straight
>> SSL to port 636, but wireshark might be able to decode any StartTLS
>> negotiation attempt on the default port. Failing that I guess I'll
>>
2002 Jun 21
1
Bug in 2.2.5 ? Configure can't find ldap_start_tls_s ..
Hi everybody,
i just tried to install v 2.2.5 but i get the following
mesage from configure :
-----snipp----
checking for ldap_start_tls_s... no
-----snipp----
grep in /usr/include tells me :
-----snipp----
486dx66:/usr/include # grep --line-number ldap_start_tls_s
ldap*
ldap.h:1075:ldap_start_tls_s LDAP_P((
486dx66:/usr/include #
-----snipp----
Looking into /usr/include/ldap.h from line