Score:0

Dovecot can't connect to ldap server via ldaps

co flag

I have an LDAP server that accepts request through ldaps on port 636. I already use it for many of my applications and I want to have my dovecot server use that for authentication as well.

dovecot ldap config:

uris = ldaps://<<ldap-url>>:636
auth_bind = yes
dn = <<dn>>
dnpass = <<pw>>
ldap_version = 3
base = <<base>>
deref = never
scope = subtree
default_pass_scheme = SSHA
blocking=yes # apparently this sometimes helps, but not in this case

# user filter
#user_attrs = mailHomeDirectory=mail,mailStorageDirectory=mail,mailQuota=quota_rule=*:bytes=%$
user_attrs = 
user_filter = (&(objectClass=mailUser)(maildrop=%u))

# password filter
#pass_attrs  = maildrop=user,userPassword=password
pass_attrs = userPassword=password
pass_filter = (&(objectClass=mailUser)(maildrop=%u))

#iterate_attrs = mail=user
#iterate_filter = (objectClass=mailUser)

The LDAP server is up and running, I can bind to the configured dn with the configured pass and base with JXplorer, but not with dovecot.

relevant log part:

dovecot: auth-worker(15177): Error: LDAP: Can't connect to server: ldaps://ldap.ropi.dev:636
cn flag
If I remember correctly you could turn on ldap debugging in dovecot-ldap.conf, maybe you could try that to get more info. Usual suspect: the certificate verifaction
László Stahorszki avatar
co flag
I was kinda aware of the certificate error (I also saw the openldap log). I thought I enabled all debug messages in dovecot, but your comment made me realize that I didn't
Score:0
co flag

The problem (and by extension the solution) is a pretty unique one. So the whole reason why I started doing all of this is that I want to phase one of my servers. For the most part, I removed all functionality from it and this is the last one.

This also means that I haven't updated my packages in a while.

Now I use LetsEncrypt certificates for my SSL communication. The thing is, one of the certificates in the chain provided by LetsEncrypt has expired on 2021.09.30. Since I haven't updated the system in a while, I didn't have the new certificate for my cert chain. This was the reason why I kept getting tls handshake errors.

So the solution in my case was as simple as:

sudo yum upgrade -y
sudo systemctl restart dovecot

Thank you to @naxto asenjo for helping my uncover the issue.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.