automx usetls ldap

Wojciech Giel wojciech.giel at cimr.cam.ac.uk
Thu Mar 8 11:25:15 CET 2012 

HI,
I'm trying to get automx running with ldap on debian squeeze. I'm have 
openldap configured with ssl (ldaps) and starttls (ldap) enabled.
I can get results connecting without encryption but with tls and enabled 
I have negotiation failed.

log from slapd:
Mar  8 10:00:46 autoconfig slapd[1905]: slap_listener_activate(8):
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=8 busy
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=9 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=10 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: >>> 
slap_listener(ldap://127.0.0.1:389/)
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: listen=8, new connection 
on 17
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: added 17r (active) 
listener=(nil)
Mar  8 10:00:46 autoconfig slapd[1905]: conn=1003 fd=17 ACCEPT from 
IP=127.0.0.1:37058 (IP=127.0.0.1:389)
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: activity on 1 descriptor
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: activity on:
...
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: read active on 17
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=8 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=9 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=10 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: connection_get(17)
Mar  8 10:00:46 autoconfig slapd[1905]: connection_get(17): got connid=1003
Mar  8 10:00:46 autoconfig slapd[1905]: connection_read(17): checking 
for input on id=1003
Mar  8 10:00:46 autoconfig slapd[1905]: op tag 0x77, time 1331200846
Mar  8 10:00:46 autoconfig slapd[1905]: conn=1003 op=0 do_extended
Mar  8 10:00:46 autoconfig slapd[1905]: conn=1003 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037
Mar  8 10:00:46 autoconfig slapd[1905]: do_extended: 
oid=1.3.6.1.4.1.1466.20037
Mar  8 10:00:46 autoconfig slapd[1905]: conn=1003 op=0 STARTTLS
Mar  8 10:00:46 autoconfig slapd[1905]: send_ldap_extended: err=0 oid= len=0
Mar  8 10:00:46 autoconfig slapd[1905]: send_ldap_response: msgid=1 
tag=120 err=0
Mar  8 10:00:46 autoconfig slapd[1905]: conn=1003 op=0 RESULT oid= err=0 
text=
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: activity on 1 descriptor
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: activity on:
...
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=8 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=9 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: epoll: listen=10 
active_threads=0 tvp=NULL
Mar  8 10:00:46 autoconfig slapd[1905]: connection_get(17)
Mar  8 10:00:46 autoconfig slapd[1905]: connection_get(17): got connid=1003
Mar  8 10:00:46 autoconfig slapd[1905]: connection_read(17): checking 
for input on id=1003
Mar  8 10:00:46 autoconfig slapd[1905]: connection_read(17): TLS accept 
failure error=-1 id=1003, closing
Mar  8 10:00:46 autoconfig slapd[1905]: connection_closing: readying 
conn=1003 sd=17 for close
Mar  8 10:00:46 autoconfig slapd[1905]: connection_close: conn=1003 sd=17
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: removing 17
Mar  8 10:00:46 autoconfig slapd[1905]: conn=1003 fd=17 closed (TLS 
negotiation failure)
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: activity on 1 descriptor
Mar  8 10:00:46 autoconfig slapd[1905]: daemon: activity on:

apache log:
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] debug, request 
GET: QUERY_STRING={'emailaddress': ['wojciech.giel at localdomain.local']}
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] 
data.configure(): {'desc': "Can't contact LDAP server"}
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] debug, response:
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] <?xml 
version='1.0' encoding='utf-8'?>
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] <clientConfig 
version="1.1">
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] <emailProvider 
id="localdomain.local">
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] <domain/>
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] <displayName/>
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] 
<displayShortName/>
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] </emailProvider>
[Wed Mar 07 12:39:58 2012] [error] [client 192.168.195.2] </clientConfig>


my automx.conf:
# file: /etc/automx.conf

[automx]
provider = localdomain.local
domains = *

# The DEFAULT section is always merged into each other section. Each section
# can overwrite settings done here.
[DEFAULT]
action = settings

account_type = email
account_name = TEST
account_name_short = TEST

display_name = ${givenName} ${sn}

smtp = yes
smtp_server = badger.localdomain.local
smtp_port = 587
smtp_encryption = starttls
smtp_auth = encrypted
smtp_auth_identity = ${cn}
smtp_default = yes

imap = yes
imap_server = badger.localdomain.local
imap_port = 993
imap_encryption = ssl
imap_auth = encrypted
imap_auth_identity = ${cn}

pop = no

host = ldap://127.0.0.1
base = ou=People,dc=localdomain,dc=local
result_attrs = cn, givenName, sn
scope = sub
filter = (&(objectClass=*) (mail=%s))

bindmethod = simple
binddn = cn=admin,dc=localdomain,dc=local
bindpw = test123
usetls = yes
cacert = /etc/ldap/ssl/cacert.pem

# If a domain is listed in the automx section, it may have its own 
section. If
# none is found here, the global section is used.
[global]
backend = ldap


What an be a problem?
thanks
Wojciech

More information about the automx-users mailing list