I have an LDAP server that accepts request through ldaps on port 636. I already use it for many of my applications and I want to have my dovecot server use that for authentication as well.
dovecot ldap config:
uris = ldaps://<<ldap-url>>:636
auth_bind = yes
dn = <<dn>>
dnpass = <<pw>>
ldap_version = 3
base = <<base>>
deref = never
scope = subtree
default_pass_scheme = SSHA
blocking=yes # apparently this sometimes helps, but not in this case
# user filter
#user_attrs = mailHomeDirectory=mail,mailStorageDirectory=mail,mailQuota=quota_rule=*:bytes=%$
user_attrs =
user_filter = (&(objectClass=mailUser)(maildrop=%u))
# password filter
#pass_attrs = maildrop=user,userPassword=password
pass_attrs = userPassword=password
pass_filter = (&(objectClass=mailUser)(maildrop=%u))
#iterate_attrs = mail=user
#iterate_filter = (objectClass=mailUser)
The LDAP server is up and running, I can bind to the configured dn with the configured pass and base with JXplorer, but not with dovecot.
relevant log part:
dovecot: auth-worker(15177): Error: LDAP: Can't connect to server: ldaps://ldap.ropi.dev:636
Best Answer
The problem (and by extension the solution) is a pretty unique one. So the whole reason why I started doing all of this is that I want to phase one of my servers. For the most part, I removed all functionality from it and this is the last one.
This also means that I haven't updated my packages in a while.
Now I use LetsEncrypt certificates for my SSL communication. The thing is, one of the certificates in the chain provided by LetsEncrypt has expired on 2021.09.30. Since I haven't updated the system in a while, I didn't have the new certificate for my cert chain. This was the reason why I kept getting tls handshake errors.
So the solution in my case was as simple as:
Thank you to @naxto asenjo for helping my uncover the issue.