Re: Problem with ldap table lookups and TLS

From: Victor Duchovni (no email)
Date: Wed Feb 25 2009 - 17:51:24 EST

  • Next message: Voytek Eymont: "header check for '.com' blocks non-exec with url in file name"

    On Wed, Feb 25, 2009 at 03:30:51PM -0600, Nick Geron wrote:

    > Well, I have found my problem. I probably should have mentioned earlier
    > (how many times has than appeared on this list?) that ldap is used on this
    > system for local user authentication, meaning pam/nss are tied into ldap.
    > I noticed in traces that the system configs and certificates were being
    > loaded/read by proxymap and wondered if proxymap was not resetting the
    > value of the ca cert or ca dir as one would expect after it reads in the
    > alias map config.

    This is an OpenLDAP API design issue. The OpenLDAP library (at least up
    to version 2.3) has a single global SSL_CTX object, that is initialized
    just once by the first call that creates an SSL-protected LDAP connection.
    All requests to set the global SSL context properties are ignored silently
    after that point.

    To solve your problem you must make sure that your nsswitch CAfile and
    CAfile include all the certificates needed by Postfix.

    Disclaimer: off-list followups get on-list replies or get ignored.
    Please do not ignore the "Reply-To" header.
    To unsubscribe from the postfix-users list, visit or click the link below:
    If my response solves your problem, the best way to thank me is to not
    send an "it worked, thanks" follow-up. If you must respond, please put
    "It worked, thanks" in the "Subject" so I can delete these quickly.

  • Next message: Voytek Eymont: "header check for '.com' blocks non-exec with url in file name"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD