OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as : 2 (Protocol error)

From: Lou Picciano (LouPiccianocomcast.net)
Date: Sat Mar 01 2008 - 08:33:28 CST

Victor,

As I mentioned in my original post, I had already tried the syntax within the ldap source both prefixed, and non-prefixed, with same results...
(I simply sent you the result of the last experiment!)

I've since updated OpenLDAP to v2.4.8, and have rebuilt Postfix 2.5.1 against it. Per your note, all entries in ldap sources are 'prefixed' appropriately:

# = = = LDAP DOMAINS - have similar files for accounts, accountsmaps and aliases.
domains_server_host = 127.0.0.1
domains_version = 3
domains_search_base = o=mail,dc=realdomainname,dc=com
domains_query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
domains_result_attribute = jvd
domains_bind = no
domains_scope = one

- Though all ldap 'source' definitions are in same dir as main.cf, postmap responds as if it cannot read the file
- (we have made an entry in the LDAP tree for virtual domain 'wonderland.com', though this seems to be irrelevant)
- in main.cf, we've tried both: virtual_mailbox_domains=ldap:domains _AND_ virtual_mailbox_domains=ldap:/etc/postfix/domains - with same result
- LDAP is processing the request - throwing the standard 'historical protocol ... use LDAPv3' message

Postmap appears to be connecting in Protocol 2, and cannot read the search base. Is there a way to be sure postmap is even reading the /etc/postfix/domains file?

# postmap -v -c /etc/postfix -q "wonderland.com" ldap:domains
...
postmap: dict_open: ldap:domains
postmap: dict_ldap_lookup: In dict_ldap_lookup
postmap: dict_ldap_lookup: No existing connection for LDAP source domains, reopening
postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
postmap: dict_ldap_connect: Actual Protocol version used is 2.
postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
postmap: dict_ldap_connect: Successful bind to server ldap://localhost:389 as
postmap: dict_ldap_connect: Cached connection handle for LDAP source domains
postmap: dict_ldap_lookup: domains: Searching with filter (mailacceptinggeneralid=wonderland.com)
postmap: warning: dict_ldap_lookup: domains: Search base '' not found: 32: No such object
postmap: dict_ldap_close: Closed connection handle for LDAP source domains

Hmmm..... Thanks, Lou Picciano

 -------------- Original message ----------------------
From: Victor Duchovni <Victor.DuchovniMorganStanley.com>
> On Thu, Feb 28, 2008 at 11:00:41PM +0000, Lou Picciano wrote:
>
> > Postfix Friends:
> >
> > Here's a weird one I know someone has seen before -
> > Issue: Cannot get postfix to query LDAP in Protocol 3, even though it's
> explicitly specified.
> > Recent changes: Have moved over to a BDB backend, this has been working aok...
> >
> > Our environment includes:
> > Postfix 2.5.1
> > OpenLDAP 2.3.35 (using the JAMM schema, for the moment...)
> > (Solaris 10)
> >
> > #postmap -v -q "Alicewonderland.com" ldap:accounts
> > postmap: dict_ldap_connect: Connecting to server ldap://localhost:389
> > postmap: dict_ldap_connect: Actual Protocol version used is 2.
> > postmap: dict_ldap_connect: Binding to server ldap://localhost:389 as dn
> > postmap: warning: dict_ldap_connect: Unable to bind to server
> ldap://localhost:389 as : 2 (Protocol error)
> >
> > ldap:accounts source contains this: ---------------------------------
> > # = = = LDAP ACCOUNTS
> > accounts_server_host = 127.0.0.1
> > version = 3
> > search_base = o=mail,dc=wonderland,dc=com
> > accounts_query_filter =
> (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
> > accounts_result_attribute = mailbox
> > accounts_bind = no
>
> Why are the parameters "version" and "search_base" not prefixed with the
> "accounts_" prefix used with "server_host", "query_filter", ...?
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.