Le 17/04/2020 à 16:58, Scott Kitterman a écrit :
> On Tue, 7 Jan 2020 12:19:48 +0100 Vincent Danjean <vdanj...@debian.org> wrote:
>>> I'm not sure what should be done:
>>> - nothing (let the administrator handle the situation as currently)
>>> - add support for tls_ca_cert_file/tls_ca_cert_dir in
>>> /usr/lib/postfix/configure-instance.sh (as for
>>> smtp_tls_CApath/smtp_tls_CAfile)
>>> ok, but you have to handle every situation. And I'm pretty sure that
> lots
>>> of other use of ldaps do not need to copy theses files in chroot (because
>>> ldaps wont be used in chroot process) else this bug would have been fixed
>>> long before
>>
>> => this is more difficult: it requires to find all ldap:XXX maps and
>> parse them...
>
> I don't personally use the LDAP support, so my ability to come up with a
> solution to the problem and test it is limited. If you can send me (direct
> is
> fine if you don't want it in the bug) a copy of the maps file, I'll see if I
> can
> come up with something.
No problem to copy the information in the bug report.
In main.cf, I've:
=====================
[...]
canonical_maps =
hash:/etc/postfix/canonical
ldap:/etc/postfix/canonical-ldap.cf
=====================
In /etc/postfix/canonical-ldap.cf, I've (with anonymization):
=====================
debug_level = 1
version = 3
server_host =
ldaps://serv-ad.domain.fr:636
ldaps://serv-ad-rep.domain.fr:636
search_base = cn=Users,dc=domain,dc=fr
query_filter =
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(sAMAccountName=%u))
result_attribute = mail
timeout = 10
bind = yes
bind_dn = cn=ldap-connect-user,cn=Users,dc=domain,dc=fr
bind_pw = password
#start_tls = yes
tls_ca_cert_file = /etc/ssl/certs/local-certificate.pem
tls_require_cert = yes
# only do ldap request for local name
domain = machine.domain.fr
=====================
In my case, I need /etc/ssl/certs/local-certificate.pem to be installed
in the chroot (and recopied when it changes)
But, according to ldap_table(5), you would have to handle
tls_ca_cert_dir, tls_ca_cert_file, tls_cert, and tls_key if used
(and the first is a directory, not a file)
Regards,
Vincent
> We already manage dynamicmaps.cf via shell in postinst/prerm. Doing
> something
> similar in configure-instance.sh should be possible.
If it is too complex to handle all possible configurations,
a hook in configure-instance.sh to be used by the local admin
would be very convenient.
Regards,
Vincent
> Scott K
>
--
Vincent Danjean GPG key ID 0xD17897FA vdanj...@debian.org
GPG key fingerprint: 621E 3509 654D D77C 43F5 CA4A F6AE F2AF D178 97FA
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
