openldap lookup error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

openldap lookup error

hyndavirapuru
Hi,

I have configured postfix to work with openldap server for lookups.
main.cf configurations are as below,

##################################################
virtual_mailbox_domains=1CorpHQ.tcs.mil.in
virtual_mailbox_base=/var/mail/vmail
virtual_mailbox_maps=ldap:/etc/postfix/virtual_mailbox_ssl_ldapusers
virtual_alias_maps=ldap:/etc/postfix/virtual_alias_map_ssl_ldapusers,
ldap:/etc/postfix/ldapdistlist_ssl.cf
virtual_minimum_uid=1000
virtual_uid_maps=static:6000
virtual_gid_maps=static:6000

######################################################

VIRTUAL_ALIAS_MAP_SSL_LDAPUSERS FILE IS AS BELOW

server_host = ldap://1CorpHQ:389
#server_port = 389
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = /etc/postfix/new_certs_/ca_cert_ldap.pem
bind = yes
bind_dn = cn=admin,dc=tcs,dc=mil,dc=in
bind_pwd = tcsmsg
version = 3
search_base = dc=tcs,dc=mil,dc=in
scope = sub
timeout = 5
query_filter = uid=%u
result_attribute = mailHost
debuglevel = 1


But when i'm sending mail, postfix is not able to contact directory
server. log is as follows


Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: initializing the server-side
TLS engine
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: connect from
unknown[201.123.80.7]
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: setting up TLS connection
from unknown[201.123.80.7]
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: unknown[201.123.80.7]: TLS
cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:before/accept
initialization
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 read client
hello A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 write
server hello A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 write
certificate A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 write key
exchange A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 write
server done A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 flush data
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 read client
key exchange A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 read
finished A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 write
change cipher spec A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 write
finished A
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: SSL_accept:SSLv3 flush data
Sep  6 17:02:50 1CorpHQ postfix/smtpd[28812]: Anonymous TLS connection
established from unknown[201.123.80.7]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_create
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_url_parse_ext(ldap://1CorpHQ:389)
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_extended_operation_s
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_extended_operation
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_send_initial_request
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_new_connection 1 1 0
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_int_open_connection
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_connect_to_host: TCP 1CorpHQ:389
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_new_socket: 13
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_prepare_socket: 13
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_connect_to_host: Trying 127.0.0.1:389
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_pvt_connect: fd: 13 tm: 5 async: 0
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_ndelay_on: 13
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
attempting to connect:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
connect errno: 115
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_int_poll: fd: 13 tm: 5
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_is_sock_ready: 13
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_ndelay_off: 13
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_pvt_connect: 0
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_open_defconn: successful
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_send_server_request
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_scanf fmt ({it) ber:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_scanf fmt ({) ber:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_flush2: 31 bytes to sd 13
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_result ld 0xc7e2c0 msgid 1
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
wait4msg ld 0xc7e2c0 msgid 1 (infinite timeout)
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
wait4msg continue ld 0xc7e2c0 msgid 1 all 1
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
** ld 0xc7e2c0 Connections:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug: *
host: 1CorpHQ  port: 389  (default)
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:  
refcnt: 2  status: Connected
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:  
last used: Wed Sep  6 17:02:50 2017
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
** ld 0xc7e2c0 Outstanding Requests:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
* msgid 1,  origid 1, status InProgress
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
 outstanding referrals 0, parent count 0
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:  
ld 0xc7e2c0 request count 1 (abandoned 0)
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
** ld 0xc7e2c0 Response Queue:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
 Empty
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:  
ld 0xc7e2c0 response count 0
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_chkResponseList ld 0xc7e2c0 msgid 1 all 1
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_chkResponseList returns ld 0xc7e2c0 NULL
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_int_select
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
read1msg: ld 0xc7e2c0 msgid 1 all 1
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_get_next
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_get_next: tag 0x30 len 12 contents:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
read1msg: ld 0xc7e2c0 msgid 1 message type extended-result
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_scanf fmt ({eAA) ber:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
read1msg: ld 0xc7e2c0 0 new referrals
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
read1msg:  mark request completed, ld 0xc7e2c0 msgid 1
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
request done: ld 0xc7e2c0 msgid 1
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
res_errno: 0, res_error: <>, res_matched: <>
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_free_request (origid 1, msgid 1)
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_parse_extended_result
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_scanf fmt ({eAA) ber:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_parse_result
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_scanf fmt ({iAA) ber:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ber_scanf fmt (}) ber:
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_msgfree
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
TLS: could not read certificate file
/etc/postfix/new_certs_/ca_cert_ldap.pem - error -5966:Access Denied. Sep
6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug: TLS:
/etc/postfix/new_certs_/ca_cert_ldap.pem is not a valid CA
certificate file - error -5966:Access Denied.
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
TLS: could not perform TLS system initialization.
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
TLS: error: could not initialize moznss security context - error
-5966:Access Denied
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
TLS: can't create ssl handle.
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: dict_ldap_debug:
ldap_err2string
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: error:
dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]: warning:
ldap:/etc/postfix/virtual_alias_map_ssl_ldapusers: table lookup problem


log is telling that ca certificate(which is a self signed certificate) of
ldap server is not valid. But i have written c code to search ldap server,
which is using same ca certificate is getting executed withot any error.

please find the attached ldap ca file. please let me know where am i going
wrong.

Thanks in advance.

--
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो !!!!

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या [hidden email] पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately and
destroy all copies of this message and any attachments.






कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!!
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ
या [hidden email] पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें ।
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately
and destroy all copies of this message and any attachments.

ca_cert_ldap.pem (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: openldap lookup error

Bill Cole-3
On 6 Sep 2017, at 7:55, [hidden email] wrote:

> Sep  6 17:02:50 1CorpHQ postfix/trivial-rewrite[28815]:
> dict_ldap_debug:
> TLS: could not read certificate file
> /etc/postfix/new_certs_/ca_cert_ldap.pem - error -5966:Access Denied.
> Sep

Check the permissions on that file. It must be readable by the postfix
user. Your LDAP server may require very tight permissions (0400 or 0600)
on all the certificate files that it uses, so you may need to use a copy
of the file that postfix can access, distinct from the copy used by the
LDAP server.

It also MAY be that an extra security layer (such as SELinux) is
blocking access to that file.