dovecot
LDAPs not Connecting
Hey, i managed to get V2.4 in Docker usinging my ssl- certificates running with my USER_PASSWORD set to accept any user given.
Now i want to make users looked up to my ldap- (freeipa)- service also on docker with authentication binds as described here: https://doc.dovecot.org/2.4.1/core/config/auth/databases/ldap.html#authentication-binds
The Service of IPA in Docker is running with IP 172.19.0.3.
My conf looks like this:
passdb ldap {
driver = ldap
use_worker = yes
bind = yes
bind_userdn = cn=%{user},cn=users,cn=accounts
ldap_uris = ldaps://172.19.0.3
ldap_base = dc=obel1x,dc=de
}
userdb ldap {
ldap_connection_group = userdbgroup1
use_worker = yes
driver = ldap
result_success = continue-ok
ldap_uris = ldaps://172.19.0.3
filter = (&(objectClass=posixAccount)(uid=%{user}))
fields {
home = %{ldap:homeDirectory}
uid = %{ldap:uidNumber}
gid = %{ldap:gidNumber}
}
ldap_base = dc=obel1x,dc=de
}
But with that config i am not getting any connection to the Server:
Jul 29 21:49:18 stats: Info: {"event":"auth_request_finished","hostname":"f084b7674f9e","start_time":"2025-07-29T21:49:16.559789Z","end_time":"2025-07-29T21:49:18.973674Z","categories":["service:auth","auth"],"fields":{"duration":2413851,"remote_pid":9,"remote_uid":1000,"remote_gid":1000,"policy_result":"ok","mechanism":"PLAIN","transport":"TLS","protocol":"imap","session":"ZALVYBg7BIr9pfWYg+IAAAAAAAAAAAAB","local_ip":"fda5:f598:83e2::c","real_local_ip":"fda5:f598:83e2::c","remote_ip":"fda5:f598:83e2::1","real_remote_ip":"fda5:f598:83e2::1","local_port":31993,"real_local_port":31993,"remote_port":35332,"real_remote_port":35332,"original_user":"username","user":"username","translated_user":"username"}}
Jul 29 21:49:16 auth-worker(17): Error: ldap(ldaps://172.19.0.3:636): Can't connect to server: ldaps://172.19.0.3
Idk why its using IPV6 there while explicitly using IPV4.
I am also fully on IPV6 which usually works, but i gave IPV4 intentionally to avoid that error which also occurs on IPV6.
Also it seems like its doing requests to fda5:f598:83e2::1 - which is only IPV6 gateway of docker -network, not the IPV6 of the IPA- Service (fda5:f598:83e2::3). In my understanding, the Gateway should not be needed for IPV6 at all.
Could it be, that currently that image is not able to connect when IPV6 is active as it will handle all connections to that gateway as it would have done with IPV4? Since some time IPV6 is stable in Docker, so this should work.
I would like to dig deeper to it, but the image has very low debugging-usability as gnu tools are missing. I really like that small image, but would it be possible to get additionally some larger debugging image with at least commands like ls or ps, ping or curl?
Great work so far, really!
The ipv6 addresses are about the mail client, not ldap.
ldap(ldaps://172.19.0.3:636/): Can't connect to server: ldaps://172.19.0.3
is the error here
@cmouse yes, that looks like there is no connection possible
But that server is reachable (testet from another container in the same network). How to verify what is not working? i cannot dig, not ping, no arp, no curl to test...
Thank you. Got it working - it was "ssl_client_require_valid_cert" - which may also block valid certs from external LDAP- Server. Even if they are valid but from lets encrypt, which may not be trusted from scratch. It may seem odd, but it would be very nice to have that logged somehow as invalid cert, instead of looking like no server could be found.
Yes, should work with letsencrypt CA imported. But won't do this on docker container. For me its completely fine, while connection is made inside docker stack, so ssl_client_require_valid_cert is a good solution.