1

Topic: ldap ssl

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5.1
- Linux/BSD distribution name and version: CentOS 6.8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hello,

I have rent a VPS and I have installed iRedMail on CentOS 6.8. I would like to use the advantages of LDAP for other servers that i own in my house. To do so, I would prefer to use a site-to-site VPN but since i don't know how to set this up, i will just use encrypted connections between the VPS and my home.

In the iptables i allowed all ports from my home to be reachable towards the VPS. The issue that i am facing now is with the LDAP. The port 636 (LDAPS) is responding fine on telnet but doesn't allow any application in my home to connect to it.

I was wondering if there is something special that allows LDAPS responses only locally in iRedMail or there is something else that it is blocking me access, to your knowledge.

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: ldap ssl

Did you try to run 'ldapsearch' (or similar ldap client tool) on your home server to connect to remote LDAP? Any error on console?

3

Re: ldap ssl

I ran this:

ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com "cn=babs jensen"

And i got this:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: cn=babs jensen
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

and then this:

ldapsearch -D "cn=directory manager" -w secret -p 636 -h server.example.com "cn=babs jensen"

and i got that:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Obviously i don't know how to run the command right, but at least you can see the results.

I tried the same from the server itself. Funny thing, for the command that first returned unknown user, i actually got the correct results. For the 636, i got again the same error message.

4

Re: ldap ssl

The bind dn specified by '-D' option is incorrect. You should try 'cn=manager,dc=xx,dc=xx' instead, and you can find it in file iRedMail-0.9.5-1/iRedMail.tips.

5

Re: ldap ssl

I don't think that's it, here is the exact command (except password) that i ran:

$ ldapsearch -D "cn=Manager,dc=savagi,dc=net" -w secret -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: cn=Vasileios Giannakopoulos
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

same command from the server:

$ ldapsearch -D "cn=Manager,dc=savagi,dc=net" -w secret -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"
# extended LDIF
#
# LDAPv3
# base <dc=savagi,dc=net> (default) with scope subtree
# filter: cn=Vasileios Giannakopoulos
# requesting: ALL
#

# vasileiosg@savagi.net, Users, savagi.net, domains, savagi.net
dn: mail=vasileiosg@savagi.net,ou=Users,domainName=savagi.net,o=domains,dc=sav
agi,dc=net
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: shadowAccount
objectClass: amavisAccount
mail: vasileiosg@savagi.net
uid: vasileiosg
storageBaseDirectory: /var/vmail
mailMessageStore: vmail1/savagi.net/v/a/s/vasileiosg-2016.09.12.09.32.22/
homeDirectory: /var/vmail/vmail1/savagi.net/v/a/s/vasileiosg-2016.09.12.09.32.
22/
amavisLocal: TRUE
cn: Vasileios Giannakopoulos
givenName: Vasileios
sn: Giannakopoulos
preferredLanguage: en_US
employeeNumber: vasileiosg
mobile:
mailQuota: 10737418240
accountStatus: active
enabledService: mail
enabledService: deliver
enabledService: lda
enabledService: lmtp
enabledService: smtp
enabledService: smtpsecured
enabledService: pop3
enabledService: pop3secured
enabledService: imap
enabledService: imapsecured
enabledService: managesieve
enabledService: managesievesecured
enabledService: sogo
enabledService: sieve
enabledService: sievesecured
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: internal
enabledService: lib-storage
enabledService: indexer-worker
enabledService: doveadm
enabledService: dsync
enabledService: shadowaddress
enabledService: displayedInGlobalAddressBook
userPassword:
=
shadowLastChange: 17070

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

nslookup resolves on the same IP address in both locations. So that's not it either.

6

Re: ldap ssl

vasileiosg wrote:

$ ldapsearch -D "cn=Manager,dc=savagi,dc=net" -w secret -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"

Your test is using port 389, but you're trying to use port 636 in you application.

*) Does ldapsearch work fine with your ldap server through port 636?
*) Any error message in your application?

7

Re: ldap ssl

Very good observation. Indeed when i ran the same as 636 i get:

ldapsearch -D "cn=Manager,dc=savagi,dc=net" -w secret -p 636 -h savagi.net "cn=Vasileios Giannakopoulos"
ldap_result: Can't contact LDAP server (-1)

Could you please explain what do you mean by euro message in my application?

8

Re: ldap ssl

vasileiosg wrote:

ldapsearch -D "cn=Manager,dc=savagi,dc=net" -w secret -p 636 -h savagi.net "cn=Vasileios Giannakopoulos"
ldap_result: Can't contact LDAP server (-1)

Is port 636 open in your firewall? You mention "The port 636 (LDAPS) is responding fine on telnet" in first post, but seems it doesn't work.

Besides port 636, you can also use port 389 with starttls for secure connection.

9

Re: ldap ssl

vasileiosg wrote:

Could you please explain what do you mean by euro message in my application?

If your application cannot connect to LDAP server, at least it will report some error message, doesn't it?

10

Re: ldap ssl

Sorry i just hadn't realised that by application you meant openldap. I looked in /var/log/openldap.log but it is completely empty.

I also said in the beginning that 636 is responding in telnet, that didn't mean that it is actually working. As for iptables (there is nothing else on that side) here is what i have done:

iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N f2b-dovecot
-N f2b-postfix
-N f2b-roundcube
-N f2b-sogo
-N f2b-sshd
-N f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-sogo
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-roundcube
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-sogo
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-dovecot
-A INPUT -p tcp -m multiport --dports 80,443,25,587,110,995,143,993,4190 -j f2b-roundcube
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd-ddos
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 500 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -p udp -m limit --limit 100/sec --limit-burst 500 -j ACCEPT
-A INPUT -p udp -j DROP
-A INPUT -m connlimit --connlimit-above 128 --connlimit-mask 32 -j DROP
-A INPUT -m connlimit --connlimit-above 512 --connlimit-mask 8 -j DROP
-A INPUT -s 94.210.16.163/32 -j ACCEPT
-A INPUT -i venet0 -p tcp -m tcp -m multiport --dports 110,143,389,636,995,3306 -j DROP
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A f2b-dovecot -j RETURN
-A f2b-dovecot -j RETURN
-A f2b-postfix -s 155.133.82.141/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-postfix -j RETURN
-A f2b-postfix -j RETURN
-A f2b-roundcube -j RETURN
-A f2b-roundcube -j RETURN
-A f2b-sogo -j RETURN
-A f2b-sogo -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
-A f2b-sshd-ddos -j RETURN

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sogo   tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-postfix  tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-dovecot  tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-roundcube  tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-sshd-ddos  tcp  --  anywhere             anywhere            multiport dports ssh
f2b-sshd   tcp  --  anywhere             anywhere            multiport dports ssh
f2b-sogo   tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-postfix  tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-dovecot  tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-roundcube  tcp  --  anywhere             anywhere            multiport dports http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve
f2b-sshd-ddos  tcp  --  anywhere             anywhere            multiport dports ssh
f2b-sshd   tcp  --  anywhere             anywhere            multiport dports ssh
ACCEPT     icmp --  anywhere             anywhere            limit: avg 100/sec burst 500
DROP       icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            limit: avg 100/sec burst 500
DROP       udp  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            #conn/32 > 128
DROP       all  --  anywhere             anywhere            #conn/8 > 512
ACCEPT     all  --  5ED210A3.cm-7-3a.dynamic.ziggo.nl  anywhere
DROP       tcp  --  anywhere             anywhere            tcp multiport dports pop3,imap,ldap,ldaps,pop3s,mysql
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipsec-nat-t
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipsec-nat-t

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-dovecot (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-postfix (2 references)
target     prot opt source               destination
REJECT     all  --  155.133.82.141       anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-roundcube (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-sogo (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd-ddos (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

11

Re: ldap ssl

About "application", i mean the one you want to connect to OpenLDAP on another server.

Also, please check ldap connection on iRedMail server first with 'ldapsearch' (or other tool you prefer) on port 636 (the one you want to use). if it works locally, but not remotely, check firewall.

12

Re: ldap ssl

ldapsearch has the results as i mentioned to you above. ok 636 doesn't work but also i don't care about that. if 389 can be secure, then that's good enough for me. I tried for example to use macOS to look using directory utility and the response was that the server cannot use secure ldap. Also i used ldapadmin on windows and gives me exactly the same error (that secure connection is not supported).

13

Re: ldap ssl

Try to test with 'ldapsearch' and '-Z' option, it will issue STARTTLS directive for secure connection. If it doesn't work, please add '-d 256' (or even '-d -1) option for ldapsearch to get more details.

14

Re: ldap ssl

From the client:

ldapsearch -Z -D "cn=Manager,dc=savagi,dc=net" -w SECRET -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"
ldap_start_tls: Connect error (-11)
    additional info: SSLHandshake() failed: connection closed via error (-9806)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldapsearch -d 1 -D "cn=Manager,dc=savagi,dc=net" -w SECRET -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"
ldap_create
ldap_url_parse_ext(ldap://savagi.net:389)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP savagi.net:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 212.24.106.208:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 71 bytes to sd 3
ldap_result ld 0x7fc50640b410 msgid 1
wait4msg ld 0x7fc50640b410 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fc50640b410 msgid 1 all 1
** ld 0x7fc50640b410 Connections:
* host: savagi.net  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jan  9 22:13:38 2017


** ld 0x7fc50640b410 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc50640b410 request count 1 (abandoned 0)
** ld 0x7fc50640b410 Red-Black Tree Response Queue:
   Empty
  ld 0x7fc50640b410 response count 1
ldap_chkResponseList ld 0x7fc50640b410 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fc50640b410 NULL
ldap_int_select
read1msg: ld 0x7fc50640b410 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7fc50640b410 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7fc50640b410 0 new referrals
read1msg:  mark request completed, ld 0x7fc50640b410 msgid 1
request done: ld 0x7fc50640b410 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: cn=Vasileios Giannakopoulos
# requesting: ALL
#

ldap_search_ext
put_filter: "cn=Vasileios Giannakopoulos"
put_filter: default
put_simple_filter: "cn=Vasileios Giannakopoulos"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 58 bytes to sd 3
ldap_result ld 0x7fc50640b410 msgid -1
wait4msg ld 0x7fc50640b410 msgid -1 (infinite timeout)
wait4msg continue ld 0x7fc50640b410 msgid -1 all 0
** ld 0x7fc50640b410 Connections:
* host: savagi.net  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jan  9 22:13:38 2017


** ld 0x7fc50640b410 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc50640b410 request count 1 (abandoned 0)
** ld 0x7fc50640b410 Red-Black Tree Response Queue:
   Empty
  ld 0x7fc50640b410 response count 1
ldap_chkResponseList ld 0x7fc50640b410 msgid -1 all 0
ldap_chkResponseList returns ld 0x7fc50640b410 NULL
ldap_int_select
read1msg: ld 0x7fc50640b410 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7fc50640b410 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7fc50640b410 0 new referrals
read1msg:  mark request completed, ld 0x7fc50640b410 msgid 2
request done: ld 0x7fc50640b410 msgid 2
res_errno: 32, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 32 No such object
ldap_msgfree

# numResponses: 1
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
tlsst_destroy()

From the server:
ldapsearch -Z -D "cn=Manager,dc=savagi,dc=net" -w SECRET -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"
ldap_start_tls: Connect error (-11)
    additional info: TLS error -5938:Encountered end of file
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldapsearch -d 1 -D "cn=Manager,dc=savagi,dc=net" -w SECRET -p 389 -h savagi.net "cn=Vasileios Giannakopoulos"
ldap_create
ldap_url_parse_ext(ldap://savagi.net:389)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP savagi.net:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 212.24.106.208:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 71 bytes to sd 3
ldap_result ld 0x22a1460 msgid 1
wait4msg ld 0x22a1460 msgid 1 (infinite timeout)
wait4msg continue ld 0x22a1460 msgid 1 all 1
** ld 0x22a1460 Connections:
* host: savagi.net  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jan  9 22:15:59 2017


** ld 0x22a1460 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x22a1460 request count 1 (abandoned 0)
** ld 0x22a1460 Response Queue:
   Empty
  ld 0x22a1460 response count 0
ldap_chkResponseList ld 0x22a1460 msgid 1 all 1
ldap_chkResponseList returns ld 0x22a1460 NULL
ldap_int_select
read1msg: ld 0x22a1460 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x22a1460 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x22a1460 0 new referrals
read1msg:  mark request completed, ld 0x22a1460 msgid 1
request done: ld 0x22a1460 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=savagi,dc=net> (default) with scope subtree
# filter: cn=Vasileios Giannakopoulos
# requesting: ALL
#

ldap_search_ext
put_filter: "cn=Vasileios Giannakopoulos"
put_filter: default
put_simple_filter: "cn=Vasileios Giannakopoulos"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 74 bytes to sd 3
ldap_result ld 0x22a1460 msgid -1
wait4msg ld 0x22a1460 msgid -1 (infinite timeout)
wait4msg continue ld 0x22a1460 msgid -1 all 0
** ld 0x22a1460 Connections:
* host: savagi.net  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jan  9 22:15:59 2017


** ld 0x22a1460 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x22a1460 request count 1 (abandoned 0)
** ld 0x22a1460 Response Queue:
   Empty
  ld 0x22a1460 response count 0
ldap_chkResponseList ld 0x22a1460 msgid -1 all 0
ldap_chkResponseList returns ld 0x22a1460 NULL
ldap_int_select
read1msg: ld 0x22a1460 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 1073 contents:
read1msg: ld 0x22a1460 msgid 2 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
ldap_dn2ufn
ldap_dn_normalize
#@savagi.net, Users, savagi.net, domains, savagi.net
dn: mail=@savagi.net,ou=Users,domainName=savagi.net,o=domains,dc=sav
agi,dc=net
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: shadowAccount
objectClass: amavisAccount
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
mail: vasileiosg@savagi.net
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
uid: vasileiosg
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
storageBaseDirectory: /var/vmail
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
mailMessageStore: vmail1/savagi.net/v/a/s/vasileiosg-2016.09.12.09.32.22/
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
homeDirectory: /var/vmail/vmail1/savagi.net/v/a/s/vasileiosg-2016.09.12.09.32.
22/
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
amavisLocal: TRUE
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
cn: Vasileios Giannakopoulos
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
givenName: Vasileios
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
sn: Giannakopoulos
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
preferredLanguage: en_US
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
employeeNumber: vasileiosg
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
mobile:
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
mailQuota: 10737418240
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
accountStatus: active
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
enabledService: mail
enabledService: deliver
enabledService: lda
enabledService: lmtp
enabledService: smtp
enabledService: smtpsecured
enabledService: pop3
enabledService: pop3secured
enabledService: imap
enabledService: imapsecured
enabledService: managesieve
enabledService: managesievesecured
enabledService: sogo
enabledService: sieve
enabledService: sievesecured
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: internal
enabledService: lib-storage
enabledService: indexer-worker
enabledService: doveadm
enabledService: dsync
enabledService: shadowaddress
enabledService: displayedInGlobalAddressBook
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
userPassword::
=
ldap_get_attribute_ber
ber_scanf fmt ({mM}) ber:
shadowLastChange: 17070
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x22a1460 msgid -1
wait4msg ld 0x22a1460 msgid -1 (infinite timeout)
wait4msg continue ld 0x22a1460 msgid -1 all 0
** ld 0x22a1460 Connections:
* host: savagi.net  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jan  9 22:15:59 2017


** ld 0x22a1460 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x22a1460 request count 1 (abandoned 0)
** ld 0x22a1460 Response Queue:
   Empty
  ld 0x22a1460 response count 0
ldap_chkResponseList ld 0x22a1460 msgid -1 all 0
ldap_chkResponseList returns ld 0x22a1460 NULL
ldap_int_select
read1msg: ld 0x22a1460 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x22a1460 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x22a1460 0 new referrals
read1msg:  mark request completed, ld 0x22a1460 msgid 2
request done: ld 0x22a1460 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)

# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success
ldap_msgfree

# numResponses: 2
# numEntries: 1
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

One thing i really don't understand, is why the command running from my laptop produces different results than running on the server

15

Re: ldap ssl

vasileiosg wrote:

    additional info: SSLHandshake() failed: connection closed via error (-9806)
...
    additional info: TLS error -5938:Encountered end of file

There's something wrong with your SSL cert/key. Please double check.

16

Re: ldap ssl

The issue is resolved by following your suggestion. When i changed the certificate in the slapd.conf file, i didn't change it to the ldap.conf file.

Now it works smile

Thank you!