postfix-users

On Wed, Feb 25, 2009 at 05:34:26PM -0600, Nick Geron wrote:

>> This is an OpenLDAP API design issue. The OpenLDAP library (at least up
>> to version 2.3) has a single global SSL_CTX object, that is initialized
>> just once by the first call that creates an SSL-protected LDAP connection.
>> All requests to set the global SSL context properties are ignored silently
>> after that point.
>>
>> To solve your problem you must make sure that your nsswitch CAfile and
>> CAfile include all the certificates needed by Postfix.
>
> Understood.  Thanks again to Victor and Quanah.

Note, the OpenLDAP API design issue is resolved with OpenLDAP 2.4.

With OpenLDAP 2.4 it is possible to set the TLS properties for
a particular LDAP connection (not just global properties), and to
associate a new OpenLDAP managed TLS context for the connection via the
new "LDAP_OPT_X_TLS_NEWCTX" option.

Try this completely untested patch (it may not even compile, but it
looks promising):

Index: src/global/dict_ldap.c
--- src/global/dict_ldap.c      28 Jan 2008 04:29:48 -0000      1.1.1.2
+++ src/global/dict_ldap.c      26 Feb 2009 00:04:18 -0000
@@ -484,10 +484,16 @@
 {
     const char *myname = "dict_ldap_set_tls_options";
     int     rc;
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+    int     am_server = 0;
+    LDAP   *ld = dict_ldap->ld;
+#else
+    LDAP   *ld = 0;
+#endif
 
     if (dict_ldap->start_tls || dict_ldap->ldap_ssl) {
        if (*dict_ldap->tls_random_file) {
-           if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
+           if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_RANDOM_FILE,
                               dict_ldap->tls_random_file)) != LDAP_SUCCESS) {
                msg_warn("%s: Unable to set tls_random_file to %s: %d: %s",
                         myname, dict_ldap->tls_random_file,
@@ -496,7 +502,7 @@
            }
        }
        if (*dict_ldap->tls_ca_cert_file) {
-           if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
+           if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
                              dict_ldap->tls_ca_cert_file)) != LDAP_SUCCESS) {
                msg_warn("%s: Unable to set tls_ca_cert_file to %s: %d: %s",
                         myname, dict_ldap->tls_ca_cert_file,
@@ -505,7 +511,7 @@
            }
        }
        if (*dict_ldap->tls_ca_cert_dir) {
-           if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,
+           if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR,
                               dict_ldap->tls_ca_cert_dir)) != LDAP_SUCCESS) {
                msg_warn("%s: Unable to set tls_ca_cert_dir to %s: %d: %s",
                         myname, dict_ldap->tls_ca_cert_dir,
@@ -514,7 +520,7 @@
            }
        }
        if (*dict_ldap->tls_cert) {
-           if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE,
+           if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE,
                                      dict_ldap->tls_cert)) != LDAP_SUCCESS) {
                msg_warn("%s: Unable to set tls_cert to %s: %d: %s",
                         myname, dict_ldap->tls_cert,
@@ -523,7 +529,7 @@
            }
        }
        if (*dict_ldap->tls_key) {
-           if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE,
+           if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE,
                                      dict_ldap->tls_key)) != LDAP_SUCCESS) {
                msg_warn("%s: Unable to set tls_key to %s: %d: %s",
                         myname, dict_ldap->tls_key,
@@ -532,7 +538,7 @@
            }
        }
        if (*dict_ldap->tls_cipher_suite) {
-           if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
+           if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
                              dict_ldap->tls_cipher_suite)) != LDAP_SUCCESS) {
                msg_warn("%s: Unable to set tls_cipher_suite to %s: %d: %s",
                         myname, dict_ldap->tls_cipher_suite,
@@ -540,13 +546,21 @@
                return (-1);
            }
        }
-       if ((rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
                       &(dict_ldap->tls_require_cert))) != LDAP_SUCCESS) {
            msg_warn("%s: Unable to set tls_require_cert to %d: %d: %s",
                     myname, dict_ldap->tls_require_cert,
                     rc, ldap_err2string(rc));
            return (-1);
        }
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+       if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &am_server))
+           != LDAP_SUCCESS) {
+           msg_warn("%s: Unable to allocate new TLS context %d: %s",
+                    myname, rc, ldap_err2string(rc));
+           return (-1);
+       }
+#endif
     }
     return (0);
 }
@@ -592,10 +606,6 @@
 
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
-    if (dict_ldap_set_tls_options(dict_ldap) != 0) {
-       dict_errno = DICT_ERR_RETRY;
-       return (-1);
-    }
     ldap_initialize(&(dict_ldap->ld), dict_ldap->server_host);
 #else
     dict_ldap->ld = ldap_init(dict_ldap->server_host,
@@ -700,6 +710,8 @@
 #endif
 
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
+    if (dict_ldap_set_tls_options(dict_ldap) != 0)
+       DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
     if (dict_ldap->start_tls) {
        if ((saved_alarm = signal(SIGALRM, dict_ldap_timeout)) == SIG_ERR) {
            msg_warn("%s: Error setting signal handler for STARTTLS timeout: 
%m",

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.