Re: [exim] Exim 4.82 LDAPS problems

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-dev, alxgomz
CC: exim-users
Subject: Re: [exim] Exim 4.82 LDAPS problems
On Wed, Oct 30, 2013 at 7:02 AM, Heiko Schlichting
<exim-users@???> wrote:
> Todd Lyons wrote:
>> > In exim 4.80.1:
>> >     ldap_initialize with URL ldaps://ldap.example.org:636/
>> >     initialized for LDAP (v3) server ldap.example.org:636
>> >     LDAP_OPT_X_TLS_HARD set
> ldap.example.org:636 is self signed and localhost:8636 is not selfsigned.
> Usually in ~/.ldaprc
>     TLS_REQCERT allow
> is set for this exim user.

>
>> > and exim 4.82:
>> >     ldap_initialize with URL ldaps://ldap.example.org:636/
>> >     initialized for LDAP (v3) server ldap.example.org:636
>> >     Require certificate overrides LDAP_OPT_X_TLS option (0)


We spent a little time offlist debugging and testing things. We got a
decent handle on the problem, though the cause of the problems was a
little unclear at first. We could see that setting options one way
worked for me, and the old way worked for him.

Some very specific googling resulted in finding this OpenLDAP post:
http://www.openldap.org/lists/openldap-technical/201202/msg00463.html
...which led to this post by Viktor on the Postfix mailing list:
http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57688.html

It seems Viktor had to slog through the same thing a few years back
when OpenLDAP changed the behavior of the client libraries from 2.3 to
2.4. Once I saw his patch, it became clear why I was seeing the
inconsistent behavior, and I did roughly the same steps (#ifdef guards
a variable assignment at compile time based on what client libs
provide).

I do expect it will be fixed by the patch to src/src/lookups/ldap.c in
the most recent commit in my testing tree [1]. It does "the right
thing" on my system with newer ldap client libs, and I'm awaiting
feedback from Heiko to see if it works on his system with older ldap
client libs. If anybody else is able to test this patch on a system
(any OS and openldap libs combo is great) against an actual ldap
server, I would be most appreciative.

Alex, I cc'd you on this because I would like for you to verify, if at
all possible, that this patch does not break your system for which we
did the work on bug 1382 to fix the ldap_require_cert patching.

...Todd

[1] http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_set_ldap_options

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine