Loading ...
Sorry, an error occurred while loading the content.

dict_ldap_connect: Unable to bind to server ldap://localhost:389 as : 2 (Protocol error)

Expand Messages
  • Lou Picciano
    Postfix Friends: Here s a weird one I know someone has seen before - Issue: Cannot get postfix to query LDAP in Protocol 3, even though it s explicitly
    Message 1 of 6 , Feb 28, 2008
    • 0 Attachment
      Postfix Friends:

      Here's a weird one I know someone has seen before -
      Issue: Cannot get postfix to query LDAP in Protocol 3, even though it's explicitly specified.
      Recent changes: Have moved over to a BDB backend, this has been working aok...

      Our environment includes:
      Postfix 2.5.1
      OpenLDAP 2.3.35 (using the JAMM schema, for the moment...)
      (Solaris 10)

      #postmap -v -q "Alice@..." ldap:accounts
      postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
      postmap: dict_ldap_connect: Actual Protocol version used is 2.
      postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
      postmap: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as : 2 (Protocol error)

      ldap:accounts source contains this: ---------------------------------
      # = = = LDAP ACCOUNTS
      accounts_server_host = 127.0.0.1
      version = 3
      search_base = o=mail,dc=wonderland,dc=com
      accounts_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
      accounts_result_attribute = mailbox
      accounts_bind = no

      (Syntax of other ldap sources - for domains, aliases, accountmaps - is similar)

      we see the same result: ----------------------------------------------
      - whether the LDAP tree is populated or empty...
      - no matter which ldap 'source' we use (we have set up several)
      - whether the ldap version is specified as 'accounts_version = 3' or 'version = 3'

      ldapsearch, however works as expected: -------------------------------------
      # ldapsearch -P2 -x -b dc=wonderland,dc=com
      ldap_bind: Protocol error (2)
      additional info: historical protocol version requested, use LDAPv3 instead
      - OR -
      # ldapsearch -P3 -x -b dc=wonderland,dc=com
      # extended LDIF
      #
      # LDAPv3
      # base <dc= wonderland,dc=com> with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
      ( - - - - LOTS OF OUTPUT - - - -)

      ldd indicates our Postfix build is correctly linked to OpenLDAP libraries: -----------------------------------------
      # ldd postmap
      libldap-2.3.so.0 => /usr/local/lib/libldap-2.3.so.0
      (etc)

      Have also deleted the SUNW ldap packages, to avoid any confusions...

      I've seen various notes - perhaps originating from this list - indicating the 'virtual_' prefix may help; have tried this, too, with no luck.

      I'm betting about 50 of you know the answer to this one!

      Thanks in advance, Lou
    • Victor Duchovni
      ... Why are the parameters version and search_base not prefixed with the accounts_ prefix used with server_host , query_filter , ...? -- Viktor.
      Message 2 of 6 , Feb 28, 2008
      • 0 Attachment
        On Thu, Feb 28, 2008 at 11:00:41PM +0000, Lou Picciano wrote:

        > Postfix Friends:
        >
        > Here's a weird one I know someone has seen before -
        > Issue: Cannot get postfix to query LDAP in Protocol 3, even though it's explicitly specified.
        > Recent changes: Have moved over to a BDB backend, this has been working aok...
        >
        > Our environment includes:
        > Postfix 2.5.1
        > OpenLDAP 2.3.35 (using the JAMM schema, for the moment...)
        > (Solaris 10)
        >
        > #postmap -v -q "Alice@..." ldap:accounts
        > postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
        > postmap: dict_ldap_connect: Actual Protocol version used is 2.
        > postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
        > postmap: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as : 2 (Protocol error)
        >
        > ldap:accounts source contains this: ---------------------------------
        > # = = = LDAP ACCOUNTS
        > accounts_server_host = 127.0.0.1
        > version = 3
        > search_base = o=mail,dc=wonderland,dc=com
        > accounts_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
        > accounts_result_attribute = mailbox
        > accounts_bind = no

        Why are the parameters "version" and "search_base" not prefixed with the
        "accounts_" prefix used with "server_host", "query_filter", ...?

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Lou Picciano
        Victor, As I mentioned in my original post, I had already tried the syntax within the ldap source both prefixed, and non-prefixed, with same results... (I
        Message 3 of 6 , Mar 1, 2008
        • 0 Attachment
          Victor,

          As I mentioned in my original post, I had already tried the syntax within the ldap source both prefixed, and non-prefixed, with same results...
          (I simply sent you the result of the last experiment!)

          I've since updated OpenLDAP to v2.4.8, and have rebuilt Postfix 2.5.1 against it. Per your note, all entries in ldap sources are 'prefixed' appropriately:

          # = = = LDAP DOMAINS - have similar files for accounts, accountsmaps and aliases.
          domains_server_host = 127.0.0.1
          domains_version = 3
          domains_search_base = o=mail,dc=realdomainname,dc=com
          domains_query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
          domains_result_attribute = jvd
          domains_bind = no
          domains_scope = one

          - Though all ldap 'source' definitions are in same dir as main.cf, postmap responds as if it cannot read the file
          - (we have made an entry in the LDAP tree for virtual domain 'wonderland.com', though this seems to be irrelevant)
          - in main.cf, we've tried both: virtual_mailbox_domains=ldap:domains _AND_ virtual_mailbox_domains=ldap:/etc/postfix/domains - with same result
          - LDAP is processing the request - throwing the standard 'historical protocol ... use LDAPv3' message

          Postmap appears to be connecting in Protocol 2, and cannot read the search base. Is there a way to be sure postmap is even reading the /etc/postfix/domains file?

          # postmap -v -c /etc/postfix -q "wonderland.com" ldap:domains
          ...
          postmap: dict_open: ldap:domains
          postmap: dict_ldap_lookup: In dict_ldap_lookup
          postmap: dict_ldap_lookup: No existing connection for LDAP source domains, reopening
          postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
          postmap: dict_ldap_connect: Actual Protocol version used is 2.
          postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
          postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 as
          postmap: dict_ldap_connect: Cached connection handle for LDAP source domains
          postmap: dict_ldap_lookup: domains: Searching with filter (mailacceptinggeneralid=wonderland.com)
          postmap: warning: dict_ldap_lookup: domains: Search base '' not found: 32: No such object
          postmap: dict_ldap_close: Closed connection handle for LDAP source domains

          Hmmm..... Thanks, Lou Picciano



          -------------- Original message ----------------------
          From: Victor Duchovni <Victor.Duchovni@...>
          > On Thu, Feb 28, 2008 at 11:00:41PM +0000, Lou Picciano wrote:
          >
          > > Postfix Friends:
          > >
          > > Here's a weird one I know someone has seen before -
          > > Issue: Cannot get postfix to query LDAP in Protocol 3, even though it's
          > explicitly specified.
          > > Recent changes: Have moved over to a BDB backend, this has been working aok...
          > >
          > > Our environment includes:
          > > Postfix 2.5.1
          > > OpenLDAP 2.3.35 (using the JAMM schema, for the moment...)
          > > (Solaris 10)
          > >
          > > #postmap -v -q "Alice@..." ldap:accounts
          > > postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
          > > postmap: dict_ldap_connect: Actual Protocol version used is 2.
          > > postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
          > > postmap: warning: dict_ldap_connect: Unable to bind to server
          > ldap://localhost:389 as : 2 (Protocol error)
          > >
          > > ldap:accounts source contains this: ---------------------------------
          > > # = = = LDAP ACCOUNTS
          > > accounts_server_host = 127.0.0.1
          > > version = 3
          > > search_base = o=mail,dc=wonderland,dc=com
          > > accounts_query_filter =
          > (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
          > > accounts_result_attribute = mailbox
          > > accounts_bind = no
          >
          > Why are the parameters "version" and "search_base" not prefixed with the
          > "accounts_" prefix used with "server_host", "query_filter", ...?
          >
          > --
          > Viktor.
          >
          > Disclaimer: off-list followups get on-list replies or get ignored.
          > Please do not ignore the "Reply-To" header.
          >
          > To unsubscribe from the postfix-users list, visit
          > http://www.postfix.org/lists.html or click the link below:
          > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
          >
          > If my response solves your problem, the best way to thank me is to not
          > send an "it worked, thanks" follow-up. If you must respond, please put
          > "It worked, thanks" in the "Subject" so I can delete these quickly.
        • Victor Duchovni
          ... What do you by in the same dir ? The above syntax is for settings in main.cf and table references of the form ldap:domains . If you want settings in a
          Message 4 of 6 , Mar 1, 2008
          • 0 Attachment
            On Sat, Mar 01, 2008 at 02:33:28PM +0000, Lou Picciano wrote:

            > Victor,
            >
            > As I mentioned in my original post, I had already tried the syntax within the ldap source both prefixed, and non-prefixed, with same results...
            > (I simply sent you the result of the last experiment!)
            >
            > I've since updated OpenLDAP to v2.4.8, and have rebuilt Postfix 2.5.1 against it. Per your note, all entries in ldap sources are 'prefixed' appropriately:
            >
            > # = = = LDAP DOMAINS - have similar files for accounts, accountsmaps and aliases.
            > domains_server_host = 127.0.0.1
            > domains_version = 3
            > domains_search_base = o=mail,dc=realdomainname,dc=com
            > domains_query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
            > domains_result_attribute = jvd
            > domains_bind = no
            > domains_scope = one
            >
            > - Though all ldap 'source' definitions are in same dir as main.cf, postmap responds as if it cannot read the file

            What do you by "in the same dir"? The above syntax is for settings in main.cf
            and table references of the form "ldap:domains". If you want settings in a
            separate file, remove *all* the prefixes, and use:

            ldap:/etc/postfix/domains.cf

            assuming that the file is /etc/postfix/domains.cf. You sure seem to have
            the wrong end of the stick...

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • Lou Picciano
            Victor, Yes, we clearly have something fundamental not working here. Apologies if I ve added to the confusion. Our issue remains that we cannot query against
            Message 5 of 6 , Mar 2, 2008
            • 0 Attachment
              Victor,

              Yes, we clearly have something fundamental not working here.
              Apologies if I've added to the confusion.

              Our issue remains that we cannot query against an LDAP store if that ldap source
              is defined in its own file.
              To clarify: We have the following files impacting ldap:

              in directory /etc/postfix:
              main.cf
              domains
              aliases
              accounts
              accountsmaps

              - snippet of main.cf:
              ...
              # = = = = = = = = = = LDAP SETUP = = = = = = = = = = = = = = = = = =
              # LDAP sources: accounts, accountsmaps, domains, aliases
              # - First: the virtual alias maps
              virtual_alias_maps = ldap:/etc/postfix/accountsmap, ldap:/etc/postfix/aliases

              #virtual_transport = virtual

              # This sets up the domain-based email under vmail's 'home' dir
              virtual_mailbox_base = /export/home/vmail/domains

              virtual_mailbox_maps = ldap:/etc/postfix/accounts
              virtual_mailbox_domains = ldap:/etc/postfix/domains
              # =======

              For the file 'domains', we've tried it two ways:

              1) - content of /etc/postfix/domains: (other 3 ldap 'source' files use similar
              syntax)
              # = = = LDAP DOMAINS
              domains_server_host = 127.0.0.1
              domains_version = 3
              #domains_port = 389
              domains_search_base = o=mail,dc= realdomainname,dc=com
              domains_query_filter =
              (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
              domains_result_attribute = jvd
              domains_bind = no
              domains_scope = one
              # end LDAP DOMAINS = = = = = = = = = = = = = = = = = = = = = = = = = = =

              - OR -
              2) - content of /etc/postfix/domains:
              # = = = LDAP DOMAINS
              server_host = 127.0.0.1
              version = 3
              #port = 389
              search_base = o=mail,dc= realdomainname,dc=com
              query_filter =
              (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
              result_attribute = jvd
              bind = no
              scope = one
              # end LDAP DOMAINS = = = = = = = = = = = = = = = = = = = = = = = = = = =

              With _either_ formatting of the 'domains' file, we cannot get postmap to make
              use of the domains source:

              postmap: dict_ldap_connect: Actual Protocol version used is 2.
              postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
              postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 as
              postmap: dict_ldap_connect: Cached connection handle for LDAP source domains
              postmap: dict_ldap_lookup: domains: Searching with filter (mailacceptinggeneralid=wonderland.com)
              postmap: warning: dict_ldap_lookup: domains: Search base '' not found: 32: No such object

              Please note: All of this _does_ work fine if we put each ldap source definition
              directly into main.cf, so this has become something of an academic exercise.
              LDAP sources as external files should work fine, though, right?

              Thanks. Lou

              -------------- Original message ----------------------
              From: Victor Duchovni <Victor.Duchovni@...>
              > On Sat, Mar 01, 2008 at 02:33:28PM +0000, Lou Picciano wrote:
              >
              > > Victor,
              > >
              > > As I mentioned in my original post, I had already tried the syntax within
              the
              > ldap source both prefixed, and non-prefixed, with same results...
              > > (I simply sent you the result of the last experiment!)
              > >
              > > I've since updated OpenLDAP to v2.4.8, and have rebuilt Postfix 2.5.1
              against
              > it. Per your note, all entries in ldap sources are 'prefixed' appropriately:
              > >
              > > # = = = LDAP DOMAINS - have similar files for accounts, accountsmaps and
              > aliases.
              > > domains_server_host = 127.0.0.1
              > > domains_version = 3
              > > domains_search_base = o=mail,dc=realdomainname,dc=com
              > > domains_query_filter =
              > (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
              > > domains_result_attribute = jvd
              > > domains_bind = no
              > > domains_scope = one
              > >
              > > - Though all ldap 'source' definitions are in same dir as main.cf, postmap
              > responds as if it cannot read the file
              >
              > What do you by "in the same dir"? The above syntax is for settings in main.cf
              > and table references of the form "ldap:domains". If you want settings in a
              > separate file, remove *all* the prefixes, and use:
              >
              > ldap:/etc/postfix/domains.cf
              >
              > assuming that the file is /etc/postfix/domains.cf. You sure seem to have
              > the wrong end of the stick...
              >
              > --
              > Viktor.
              >
              > Disclaimer: off-list followups get on-list replies or get ignored.
              > Please do not ignore the "Reply-To" header.
              >
              > To unsubscribe from the postfix-users list, visit
              > http://www.postfix.org/lists.html or click the link below:
              > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
              >
              > If my response solves your problem, the best way to thank me is to not
              > send an "it worked, thanks" follow-up. If you must respond, please put
              > "It worked, thanks" in the "Subject" so I can delete these quickly.
            • Victor Duchovni
              ... This is wrong. Prefixes are only used with settings in main.cf ... This is correct (assuming the query filter is actually on one line or the second line
              Message 6 of 6 , Mar 2, 2008
              • 0 Attachment
                On Sun, Mar 02, 2008 at 08:38:35PM +0000, Lou Picciano wrote:

                > Victor,
                >
                > Yes, we clearly have something fundamental not working here.
                > Apologies if I've added to the confusion.
                >
                > Our issue remains that we cannot query against an LDAP store if that ldap source
                > is defined in its own file.
                > To clarify: We have the following files impacting ldap:
                >
                > in directory /etc/postfix:
                > main.cf
                > domains
                > aliases
                > accounts
                > accountsmaps
                >
                > - snippet of main.cf:
                > ...
                > # = = = = = = = = = = LDAP SETUP = = = = = = = = = = = = = = = = = =
                > # LDAP sources: accounts, accountsmaps, domains, aliases
                > # - First: the virtual alias maps
                > virtual_alias_maps = ldap:/etc/postfix/accountsmap, ldap:/etc/postfix/aliases
                >
                > #virtual_transport = virtual
                >
                > # This sets up the domain-based email under vmail's 'home' dir
                > virtual_mailbox_base = /export/home/vmail/domains
                >
                > virtual_mailbox_maps = ldap:/etc/postfix/accounts
                > virtual_mailbox_domains = ldap:/etc/postfix/domains
                > # =======
                >
                > For the file 'domains', we've tried it two ways:
                >
                > 1) - content of /etc/postfix/domains: (other 3 ldap 'source' files use similar
                > syntax)
                > # = = = LDAP DOMAINS
                > domains_server_host = 127.0.0.1
                > domains_version = 3
                > #domains_port = 389
                > domains_search_base = o=mail,dc= realdomainname,dc=com
                > domains_query_filter =
                > (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
                > domains_result_attribute = jvd
                > domains_bind = no
                > domains_scope = one
                > # end LDAP DOMAINS = = = = = = = = = = = = = = = = = = = = = = = = = = =

                This is wrong. Prefixes are only used with settings in main.cf

                > - OR -
                > 2) - content of /etc/postfix/domains:
                > # = = = LDAP DOMAINS
                > server_host = 127.0.0.1
                > version = 3
                > #port = 389
                > search_base = o=mail,dc= realdomainname,dc=com
                > query_filter =
                > (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
                > result_attribute = jvd
                > bind = no
                > scope = one
                > # end LDAP DOMAINS = = = = = = = = = = = = = = = = = = = = = = = = = = =
                >

                This is correct (assuming the query filter is actually on one line or
                the second line starts with whitespace). Show more detailed evidence for
                this case.

                > With _either_ formatting of the 'domains' file, we cannot get postmap to make
                > use of the domains source:
                >
                > postmap: dict_ldap_connect: Actual Protocol version used is 2.
                > postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
                > postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 as
                > postmap: dict_ldap_connect: Cached connection handle for LDAP source domains
                > postmap: dict_ldap_lookup: domains: Searching with filter (mailacceptinggeneralid=wonderland.com)

                Clearly not using the filter you defined, so your settings are not the
                correct version above.

                If you are having to guess randomly between documented syntax and a
                main.cf/external-file chimera, you should read the documentation until
                it becomes clear. Once you *know* you have the right settings, and they
                still don't work, report clear evidence here.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              Your message has been successfully submitted and would be delivered to recipients shortly.