From: Victor Duchovni (no email)
Date: Wed Feb 25 2009 - 17:51:24 EST
On Wed, Feb 25, 2009 at 03:30:51PM -0600, Nick Geron wrote:
> Well, I have found my problem. I probably should have mentioned earlier
> (how many times has than appeared on this list?) that ldap is used on this
> system for local user authentication, meaning pam/nss are tied into ldap.
> I noticed in traces that the system configs and certificates were being
> loaded/read by proxymap and wondered if proxymap was not resetting the
> value of the ca cert or ca dir as one would expect after it reads in the
> alias map config.
This is an OpenLDAP API design issue. The OpenLDAP library (at least up
to version 2.3) has a single global SSL_CTX object, that is initialized
just once by the first call that creates an SSL-protected LDAP connection.
All requests to set the global SSL context properties are ignored silently
after that point.
To solve your problem you must make sure that your nsswitch CAfile and
CAfile include all the certificates needed by Postfix.
-- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.