[exim-dev] [Bug 1382] ldap_require_cert has no effect

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1382] ldap_require_cert has no effect
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1382




--- Comment #6 from Todd Lyons <tlyons@???> 2013-09-10 02:35:00 ---
On Mon, Sep 9, 2013 at 5:01 PM, alxgomz <alxgomz@???> wrote:
> I have tried both patches but it doesn't fix the issue.
> The debug still show "LDAP_OPT_X_TLS_TRY" regardless of the value of
> ldap_require_cert = allow.
>
> I have also tried the patch from the following page
> https://gist.github.com/mrballcb/6501428, but that didn't help neither.


Can you show the debug output to see what the LDAP_OPT_X_TLS is being
set to with the patch from that gist? Add into the patch, right
before the first ldap_set_option() call:

debug_printf("setting value LDAP_OPT_X_TLS = %d\n", tls_option);

I want to make sure that it's setting the option the way we think it should be.

> I have added a debug line before the ldap_start_tls_s line 534 in order to
> check the options of the ldap connection:
>
>  533     debug_printf("trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = %d
> \n", cert_option);

>
> It seems to be set properly (according to ldap.h) from the the config file as I
> get :
>
> 00:31:37 6469 3 set for cert_option
> 00:31:37 6469 binding with user=uid=exim,dc=middle,dc=earth password=eximmta
> 00:31:37 6469 trying to connect using LDAP_OPT_X_TLS_REQUIRE_CERT = 3


Yes that looks good. Now let's look at the initial setting with the
extra debug statement above.

> But as you can see I still get a connection error and checking the network dump
> I see I have the following TLS alert: "Unknown CA", which shouldn't happen with
> ldap_require_cert set to allow.


I don't know if that shouldn't happen. Rather, it should just be
ignored per the setting above.

> I cannot exclude any set up error on my side, but again, I have dovecot happily
> doing ldap TLS against the same LDAP server (so with the same self signed
> certificate) with similar configuration (tls = yes tls_require_cert = allow).


And we're, in theory, trying to align those behaviors.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email