[exim] ldaps: different behaviour daemon vs -bt

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Heiko Schlittermann
Datum:  
To: exim-users
Betreff: [exim] ldaps: different behaviour daemon vs -bt
Hello *,

I just discoverd some weired anomalie.(?)

But first the facts:
    Exim version 4.51 #1 built 01-Jul-2005 19:23:14
    Copyright (c) University of Cambridge 2005
    Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (June 30, 2004)
    Support for: iconv() IPv6 OpenSSL Content_Scanning Old_Demime
    Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
    dsearch ldap ldapdn ldapm passwd
    Authenticators: cram_md5 plaintext
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
    Configuration file is /etc/exim/exim.conf



Exim is running on hostA, the openLDAP ist running on hostB. slapd on hostB
provides LDAP w/ TLS on connect on port 636.

Configuration snipped:


    ldap_default_servers = ldapmaster::636
    ...
    begin routers


    mail2cyrus:
       driver = redirect
       ...
       hide data = ${lookup ldap{ldaps:///....}



If I use exim in address test mode `exim -bt heiko@???' it
works and proper LDAP queries are sent and processed.

If exim runs as daemon and has to handle the same address it returns
a `temporary problem'. According to the log: ldap_bind() returned -1.


After a while I found a good hint here: http://www.billy.demon.nl/Eximldap.html,
so I changed 
    ldap_default_servers = ldapmaster.domain.example::636
That's the CN slapd uses in its certificate.



QUESTIONS:

    a)  Why does `exim -bt' succeed and the daemon not?
    b)  Shouldn't it made consistent?
    c)  Shouldn't be there some more descriptive error message
        (I'm not sure if the openSSL lib returns more than '-1')


Suggestion:

    -> The could include some hint near 'ldaps'...



    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -