Re: Postfix ldap_table authenticate to LDAP using GSSAPI or EXTERNAL
- On 01/23/13 00:51, Eric McCorkle wrote:
> On 01/23/13 00:49, Viktor Dukhovni wrote:Yep, that did it. Thanks.
>> On Wed, Jan 23, 2013 at 12:33:01AM -0500, Eric McCorkle wrote:
>>> Which is due ultimately to there not being a kerberos principal
>>> available. However, if I add "start_tls = yes" (and set up the
>>> certificate files), then I get the same "unable to allocate TLS context"
>>> This seems to suggest that the process can't get at the certs (or the
>>> keytab), but both are readable by the postfix user, and postalias su'ed
>>> to postfix seems to work fine.
>>> Not sure if it's relevant, but I have the private key and the keytab
>>> with permissions set as follows:
>>> chown root:hostkey <path to key>
>>> chmod 640 <path to key>
>>> Where the "hostkey" group includes the postfix user.
>> This does not work, Postfix daemons don't run with the secondary
>> groups of the "postfix" user. To use a client certificate for
>> LDAP you must make it readable by the "postfix" user, via:
>> chown postfix client-key.pem
>> chmod 600 client-key.pem
>> The "root" user can still read if required.
> Well, then that would be the cause. I'll check it out, but in the mean
> time, thanks for the help!