Re: [exim] Exim 4.82 LDAPS problems

Top Page
Delete this message
Reply to this message
Author: Alexandre
Date:  
To: Todd Lyons
CC: exim-users, exim-dev
Subject: Re: [exim] Exim 4.82 LDAPS problems
Hi Todd,

Thanks for forwarding me this.
This indeed looks like the right way to do things. I am just surprised
this is not documented anywhere and nobody raised that when I asked on
the openldap IRC channel. Nonethless, it works for me as well as using
NULL as an ldap handle.
I have no doubt this is a better approach (more modern let's say),
than the one we chose previously, but my understanding is that it
won't bring additional advantages as the ldap_require_cert exim option
is global. Am I right? Or am i missing something?
In any case, I don't have much time to test the patch has I am moving
back to france right now, but for what I have tested, it doesn't break
my setup (tested ldap lookup for rcpt to verification).

Regards, Alex.

2013/10/31 Todd Lyons <tlyons@???>:
> On Wed, Oct 30, 2013 at 7:02 AM, Heiko Schlichting
> <exim-users@???> wrote:
>> Todd Lyons wrote:
>>> > In exim 4.80.1:
>>> >     ldap_initialize with URL ldaps://ldap.example.org:636/
>>> >     initialized for LDAP (v3) server ldap.example.org:636
>>> >     LDAP_OPT_X_TLS_HARD set
>> ldap.example.org:636 is self signed and localhost:8636 is not selfsigned.
>> Usually in ~/.ldaprc
>>     TLS_REQCERT allow
>> is set for this exim user.

>>
>>> > and exim 4.82:
>>> >     ldap_initialize with URL ldaps://ldap.example.org:636/
>>> >     initialized for LDAP (v3) server ldap.example.org:636
>>> >     Require certificate overrides LDAP_OPT_X_TLS option (0)

>
> We spent a little time offlist debugging and testing things. We got a
> decent handle on the problem, though the cause of the problems was a
> little unclear at first. We could see that setting options one way
> worked for me, and the old way worked for him.
>
> Some very specific googling resulted in finding this OpenLDAP post:
> http://www.openldap.org/lists/openldap-technical/201202/msg00463.html
> ...which led to this post by Viktor on the Postfix mailing list:
> http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57688.html
>
> It seems Viktor had to slog through the same thing a few years back
> when OpenLDAP changed the behavior of the client libraries from 2.3 to
> 2.4. Once I saw his patch, it became clear why I was seeing the
> inconsistent behavior, and I did roughly the same steps (#ifdef guards
> a variable assignment at compile time based on what client libs
> provide).
>
> I do expect it will be fixed by the patch to src/src/lookups/ldap.c in
> the most recent commit in my testing tree [1]. It does "the right
> thing" on my system with newer ldap client libs, and I'm awaiting
> feedback from Heiko to see if it works on his system with older ldap
> client libs. If anybody else is able to test this patch on a system
> (any OS and openldap libs combo is great) against an actual ldap
> server, I would be most appreciative.
>
> Alex, I cc'd you on this because I would like for you to verify, if at
> all possible, that this patch does not break your system for which we
> did the work on bug 1382 to fix the ldap_require_cert patching.
>
> ...Todd
>
> [1] http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_set_ldap_options
>
> --
> The total budget at all receivers for solving senders' problems is $0.
> If you want them to accept your mail and manage it the way you want,
> send it the way the spec says to. --John Levine