Hi couldn't help for testing a bit further, I have found that the
options, if set in ldap.conf or .ldaprc are not taken into account on
my setup.
Options (tested only cipher suite and cert verifiction level) works OK
if the exim option is used (ldap_require_cert = allow), which is good
enough in my case, but may not be what others expect.
Regards, Alex.
2013/10/31 Todd Lyons <tlyons@???>:
> On Wed, Oct 30, 2013 at 7:02 AM, Heiko Schlichting
> <exim-users@???> wrote:
>> Todd Lyons wrote:
>>> > In exim 4.80.1:
>>> > ldap_initialize with URL ldaps://ldap.example.org:636/
>>> > initialized for LDAP (v3) server ldap.example.org:636
>>> > LDAP_OPT_X_TLS_HARD set
>> ldap.example.org:636 is self signed and localhost:8636 is not selfsigned.
>> Usually in ~/.ldaprc
>> TLS_REQCERT allow
>> is set for this exim user.
>>
>>> > and exim 4.82:
>>> > ldap_initialize with URL ldaps://ldap.example.org:636/
>>> > initialized for LDAP (v3) server ldap.example.org:636
>>> > Require certificate overrides LDAP_OPT_X_TLS option (0)
>
> We spent a little time offlist debugging and testing things. We got a
> decent handle on the problem, though the cause of the problems was a
> little unclear at first. We could see that setting options one way
> worked for me, and the old way worked for him.
>
> Some very specific googling resulted in finding this OpenLDAP post:
> http://www.openldap.org/lists/openldap-technical/201202/msg00463.html
> ...which led to this post by Viktor on the Postfix mailing list:
> http://www.mailinglistarchive.com/postfix-users@postfix.org/msg57688.html
>
> It seems Viktor had to slog through the same thing a few years back
> when OpenLDAP changed the behavior of the client libraries from 2.3 to
> 2.4. Once I saw his patch, it became clear why I was seeing the
> inconsistent behavior, and I did roughly the same steps (#ifdef guards
> a variable assignment at compile time based on what client libs
> provide).
>
> I do expect it will be fixed by the patch to src/src/lookups/ldap.c in
> the most recent commit in my testing tree [1]. It does "the right
> thing" on my system with newer ldap client libs, and I'm awaiting
> feedback from Heiko to see if it works on his system with older ldap
> client libs. If anybody else is able to test this patch on a system
> (any OS and openldap libs combo is great) against an actual ldap
> server, I would be most appreciative.
>
> Alex, I cc'd you on this because I would like for you to verify, if at
> all possible, that this patch does not break your system for which we
> did the work on bug 1382 to fix the ldap_require_cert patching.
>
> ...Todd
>
> [1] http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_set_ldap_options
>
> --
> The total budget at all receivers for solving senders' problems is $0.
> If you want them to accept your mail and manage it the way you want,
> send it the way the spec says to. --John Levine
