Re: [Exim] LDAP over TLS failing to bind/lookup.

Top Page
Delete this message
Reply to this message
Author: Eric Renfro
Date:  
To: exim-users
New-Topics: Re: [exim] Logging to SysLog just some events, [Exim] alias & pipe does not work, Re: [Exim] ${if eq ... } in pipe command, Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies, [Exim] ${if eq ... } in pipe command, [Exim] address_pipe error, Re: [Exim] alias & pipe does not work, Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies, Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies, Re: [exim] Problem compiling Exim with libdomainkeys - SOLVED, Re: [exim] Strange problem with domainkeys, Re: [Exim] WebRT and rt-mailgate exim problem, Re: [Exim] getting exim to work with the "rt" request tracker?, Re: [Exim] getting exim to work with the "rt" request tracker?
Subject: Re: [Exim] LDAP over TLS failing to bind/lookup.
On Tuesday 20 August 2002 02:12 pm, Peter A. Savitch wrote:
> Hello Eric,
>
> Tuesday, August 20, 2002, 2:03:27 PM, you wrote:
>
> ER> I've tested this same auth against using ldapsearch using -ZZ to make
> sure it ER> worked over TLS, and it succeeded.
>
> ER> Also, the same thing worked, using ldap, versus ldaps. I just would
> prefer it ER> over TLS for obvious security reasons.
>
> I guess the certificate verification fails.
> Which LDAP do You use? If it's OpenLDAP, try debugging (slapd -d -1).
> Verification might fail if the server or client certificates are bad
> or TLS library founds untrusted self-signed certificate in chain (You
> must specify CA certificate).
>
> Regarding OpenLDAP.
> You can try to set TLSCACertificateFile in slapd.conf and TLS_CACERT
> in /etc/ldap.conf. OpenLDAP library uses environment, which is
> *INSECURE* in this circumstances. There is no complete workaround at
> this time. Local user can set variable to disable /etc/ldap.conf
> processing, that is, to disable CA You supplied.


Hrmmm..

I just added -h "ldap:/// ldaps:///" to my slapd startup, so now it's actually
STARTING the ldaps server.

And, it's not working very well, even still. ldapsearch -ZZ over ldaps://blah/
fails, complaining:

ldapsearch -ZZ -LL -H ldaps://ldap.mydomain.com/ -b"dc=mydomain,dc=com" -W -x
-D "uid=psi-jack,ou=People,dc=mydomain,dc=com" "(uid=psi-jack)"
ldap_start_tls: Operations error
        additional info: TLS already started


In addition to that, TLS runs over the standard port of the service, rather
than SSL running in a different port. Does exim's ldap:/// attempt to try TLS
at all, or is that only done through ldaps:/// url's?

Eric Renfro