Loading ...
Sorry, an error occurred while loading the content.

290884Re: Postfix ldap_table authenticate to LDAP using GSSAPI or EXTERNAL

Expand Messages
  • Viktor Dukhovni
    Jan 22, 2013
    • 0 Attachment
      On Wed, Jan 23, 2013 at 12:33:01AM -0500, Eric McCorkle wrote:

      > Which is due ultimately to there not being a kerberos principal
      > available. However, if I add "start_tls = yes" (and set up the
      > certificate files), then I get the same "unable to allocate TLS context"
      > error.
      >
      > This seems to suggest that the process can't get at the certs (or the
      > keytab), but both are readable by the postfix user, and postalias su'ed
      > to postfix seems to work fine.
      >
      > Not sure if it's relevant, but I have the private key and the keytab
      > with permissions set as follows:
      >
      > chown root:hostkey <path to key>
      > chmod 640 <path to key>
      >
      > Where the "hostkey" group includes the postfix user.

      This does not work, Postfix daemons don't run with the secondary
      groups of the "postfix" user. To use a client certificate for
      LDAP you must make it readable by the "postfix" user, via:

      chown postfix client-key.pem
      chmod 600 client-key.pem

      The "root" user can still read if required.

      --
      Viktor.
    • Show all 8 messages in this topic