Hello.
While investigating strange issue with exim, STARTTLS and LDAP, I have
found, that lookups/ldap.c does not check returned value of
ldap_start_tls_s(3) function. That is why, the error exim reports at
debug is not at conformity with the actual situation.
More than that, this is possible to specify exactly the problem, caused
the error via ldap_get_option(3) for LDAP_OPT_DIAGNOSTIC_MESSAGE, e.g.:
----------------------------------------------------------------------------------
ldap_start_tls_s() failed: Connect error, error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate in certificate chain)
----------------------------------------------------------------------------------
I think that exim should check returned value by ldap_start_tls_s, as
further calling of ldap_bind() returns inappropriate error.
I have wrote small patch, which one change error reporting behaviour to
be more expectable.
Debug output without patch: (exim -v -d+all -bh 8.8.8.8 -C ./configure)
----------------------------------------------------------------------------------
20:19:52 81575 initialized for LDAP (v3) server
rw2.devel.ldap.hostcomm.ru:389
20:19:52 81575 LDAP_OPT_X_TLS_TRY set
20:19:52 81575 binding with user=uid=dbanschikov,ou=users,o=hc
password=password
;; res_querydomain(rw2.devel.ldap.hostcomm.ru, <Nil>)
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 1)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
rw2.devel.ldap.hostcomm.ru. 3m26s IN A 10.14.10.186
ldap.hostcomm.ru. 3m26s IN NS dns.ovr.hc.ru.
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 28)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55716
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
ldap.hostcomm.ru. 3m26s IN SOA dns.ovr.hc.ru. support.hc.ru. (
2011082302 ; serial
3H ; refresh
1H ; retry
2D ; expiry
10M ) ; minimum
;; rcode = 0, ancount=0
20:19:52 81575 failed to bind the LDAP connection to server
rw2.devel.ldap.hostcomm.ru:389 - LDAP error: result retrieval failed
20:19:52 81575 lookup deferred: failed to bind the LDAP connection to
server rw2.devel.ldap.hostcomm.ru:389 - LDAP error: result retrieval failed
----------------------------------------------------------------------------------
Debug output with patch (exim -v -d+all -bh 8.8.8.8 -C ./configure)
----------------------------------------------------------------------------------
20:23:18 83019 initialized for LDAP (v3) server
rw2.devel.ldap.hostcomm.ru:389
20:23:18 83019 LDAP_OPT_X_TLS_TRY set
20:23:18 83019 binding with user=uid=dbanschikov,ou=users,o=hc
password=password
;; res_querydomain(rw2.devel.ldap.hostcomm.ru, <Nil>)
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 1)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40247
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = A, class = IN
rw2.devel.ldap.hostcomm.ru. 5M IN A 10.14.10.186
ldap.hostcomm.ru. 5M IN NS dns.ovr.hc.ru.
;; res_query(rw2.devel.ldap.hostcomm.ru, 1, 28)
;; res_nmkquery(QUERY, rw2.devel.ldap.hostcomm.ru, IN, AAAA)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40248
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; rw2.devel.ldap.hostcomm.ru, type = AAAA, class = IN
ldap.hostcomm.ru. 5M IN SOA dns.ovr.hc.ru. support.hc.ru. (
2011082302 ; serial
3H ; refresh
1H ; retry
2D ; expiry
10M ) ; minimum
;; rcode = 0, ancount=0
20:23:18 83019 failed to initiate TLS processing on an LDAP session to
server rw2.devel.ldap.hostcomm.ru:389 - ldap_start_tls_s() returned -11:
Connect error
20:23:18 83019 lookup deferred: failed to initiate TLS processing on an
LDAP session to server rw2.devel.ldap.hostcomm.ru:389 -
ldap_start_tls_s() returned -11: Connect error
----------------------------------------------------------------------------------
--
Dmitry Banschikov
--- src/lookups/ldap.c.orig 2012-05-02 19:50:51.000000000 +0000
+++ src/lookups/ldap.c 2012-05-02 20:04:39.000000000 +0000
@@ -523,7 +523,12 @@
/* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this: */
if (eldap_start_tls)
{
- ldap_start_tls_s(lcp->ld, NULL, NULL);
+ if ( (rc = ldap_start_tls_s(lcp->ld, NULL, NULL)) != LDAP_SUCCESS) {
+ *errmsg = string_sprintf("failed to initiate TLS processing on an "
+ "LDAP session to server %s%s - ldap_start_tls_s() returned %d:"
+ " %s", host, porttext, rc, ldap_err2string(rc));
+ goto RETURN_ERROR;
+ }
}
#endif
if ((msgid = ldap_bind(lcp->ld, CS user, CS password, LDAP_AUTH_SIMPLE))
