Loading ...
Sorry, an error occurred while loading the content.

290886Re: Postfix ldap_table authenticate to LDAP using GSSAPI or EXTERNAL

Expand Messages
  • Eric McCorkle
    Jan 22, 2013
    • 0 Attachment
      On 01/23/13 00:51, Eric McCorkle wrote:
      > On 01/23/13 00:49, Viktor Dukhovni wrote:
      >> On Wed, Jan 23, 2013 at 12:33:01AM -0500, Eric McCorkle wrote:
      >>
      >>> Which is due ultimately to there not being a kerberos principal
      >>> available. However, if I add "start_tls = yes" (and set up the
      >>> certificate files), then I get the same "unable to allocate TLS context"
      >>> error.
      >>>
      >>> This seems to suggest that the process can't get at the certs (or the
      >>> keytab), but both are readable by the postfix user, and postalias su'ed
      >>> to postfix seems to work fine.
      >>>
      >>> Not sure if it's relevant, but I have the private key and the keytab
      >>> with permissions set as follows:
      >>>
      >>> chown root:hostkey <path to key>
      >>> chmod 640 <path to key>
      >>>
      >>> Where the "hostkey" group includes the postfix user.
      >>
      >> This does not work, Postfix daemons don't run with the secondary
      >> groups of the "postfix" user. To use a client certificate for
      >> LDAP you must make it readable by the "postfix" user, via:
      >>
      >> chown postfix client-key.pem
      >> chmod 600 client-key.pem
      >>
      >> The "root" user can still read if required.
      >>
      >
      > Well, then that would be the cause. I'll check it out, but in the mean
      > time, thanks for the help!
      >

      Yep, that did it. Thanks.
    • Show all 8 messages in this topic