Problem with ldap table lookups and TLS

From: Nick Geron (no email)
Date: Tue Feb 24 2009 - 19:48:12 EST

  • Next message: Quanah Gibson-Mount: "Re: Problem with ldap table lookups and TLS"

    I'm in the process of putting together a postfix system with an ldap
    back-end and have come
    across something very odd regarding ldap_table. Basically, postfix
    does not load my private CA.
    The CA is really a self signed cert generated by java keytool - try as I
    might, I couldn't get keytool to
    use our private CA generated by openssl.

    Without a local copy of the 'CA', TLS connections fail with or without
    requiring a cert. I found a similar thread in
    the archive, but the root problem there was related to random number
    generation, GNUTLS and
    the key in the log was an exit status 2 from trivial-rewrite.

    http://archives.neohapsis.com/archives/postfix/2008-01/0764.html

    Now, my tests are similar to this fellow, but I do not get the same exit
    status. Also, all maps work fine without encryption.

    So as root or my limited rights postfix user this works:

    #postmap -q ldap:/etc/postfix/ldap/aliases.cf

    However, any lookup actions from the server fails to establish the TLS
    connection.

    Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup:
    In dict_ldap_lookup
    Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: dict_ldap_lookup:
    No existing connection for LDAP source /etc/postfix/ldap/aliases.cf,
    reopening
    Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]:
    dict_ldap_connect: Connecting to server ldap://ldap13.example.com:389
    Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]:
    dict_ldap_connect: Actual Protocol version used is 3.
    Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: error:
    dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    Feb 24 18:15:27 smtp11 postfix/trivial-rewrite[17631]: fatal:
    ldap:/etc/postfix/ldap/aliases.cf(0,lock|fold_fix): table lookup problem

    I do see that dict_ldap read my config here:
    Feb 24 18:22:38 smtp11 postfix/trivial-rewrite[17698]: cfg_get_str:
    /etc/postfix/ldap/aliases.cf: tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt

    I've been around and around with this all day and keep coming back to
    the same conclusion - proxymap and/or trivial-rewrite (or whatever is
    responsible for establishing the connection) is not loading my CA file,
    though it's explicitly set in my ldap table conf file:

    (/etc/postfix/ldap/aliases.cf)
    bind = yes
    bind_dn = uid=postfix,ou=ldap,cn=mailsystem
    bind_pw = abc123
    start_tls = yes
    version = 3
    tls_ca_cert_file = /etc/postfix/ssl/ldap13.crt
    #tls_require_cert = yes
    server_host = ldap://ldap13.example.com:389
    search_base = ou=domains,cn=mailsystem
    query_filter = (&(objectClass=CourierMailAlias)(mail=%s))
    result_attribute = maildrop
    #debuglevel = 1
    tls_random_file = /dev/urandom

    (in main.cf)
    virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/aliases.cf

    Running strace for opened files shows that the server loads another
    private ca and cert for smtpd (smtp auth) and even system specified
    certificates it or openssl libs read out of /etc/ldap.conf. Traces even
    show that something is loading /etc/openldap/ldap.conf, which I've also
    explicitly set a TLS_CAFILE entry for testing with openldap binaries. I
    should also note that courier authlib and saslauthd both work fine with
    TLS to the same ldap server using the same ca.

    As one might expect, tracing the successful postmap command does show
    that it opens and reads the cert specified via tls_ca_cert_file:

    #strace -e trace=open postmap -q
    ldap:/etc/postfix/ldap/aliases.cf
    ...
    open("/etc/postfix/ssl/ldap13.crt", O_RDONLY) = 5
    ...

    Again, if I tell postmap to use the proxymap daemon with 'postmap -q
     proxy:ldap:/etc/postfix/ldap/aliases.cf', the same
    failure to load the cert and an error -11 as in the above syslog output.

    The test rig is on a recent build of gentoo with postfix 2.5.6 built
    against openssl 0.9.8g. The LDAP server is running openDS 1.2.

    Thanks for any help. This one's got me baffled. Please let me know if
    I should provide any additional output.

    -Nick Geron


  • Next message: Quanah Gibson-Mount: "Re: Problem with ldap table lookups and TLS"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD