system info

Expected behavior

Observed behavior

auth-ldap doesn't work. Broke somewhere b/w .13 and .18, is my guess. Probable root cause: exports.register is missing a line. Should look like this:

exports.register = function () { this.inherits('auth/auth_base'); this.load_auth_ldap_ini(); //<-- this is the missing line }

Otherwise, the this.cfg is always null:

[CRIT] [C6653449-9CEF-4709-8F29-4E0EA68CBD8B] [core] Plugin auth-ldap failed: TypeError: Cannot read property 'core' of undefined
at Plugin.exports.check_plain_passwd (/home/greeble31/mail/node_modules/haraka-plugin-auth-ldap/index.js:37:15)
at Plugin.exports.check_user (/home/greeble31/mail/node_modules/Haraka/plugins/auth/auth_base.js:148:16)
at Plugin.exports.auth_login (/home/greeble31/mail/node_modules/Haraka/plugins/auth/auth_base.js:233:23)
at Plugin.exports.hook_unrecognized_command (/home/greeble31/mail/node_modules/Haraka/plugins/auth/auth_base.js:42:23)
.
.
.

Side note: The default config/plugins has bad syntax for the commented auth-ldap: It is "# auth_ldap", but should be "# auth-ldap". Anyone who uncomments that line, expecting it to use the new auth-ldap module, will instead be getting an error message from the old auth_ldap.

Steps to reproduce

Do a trivial install of Haraka, and enable auth_ldap.

system info

Haraka: 2.8.24
Node: 11.13.0
OS: FreeBSD mail 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 GENERIC amd64
OpenSSL: OpenSSL 1.1.1a-freebsd 20 Nov 2018

Expected behavior

Haraka should accept self-signed certificates for OpenLDAP, as seen with Dovecot, for example.

Observed behavior

Haraka does not allow ldaps://[ldap server], unless the certificate is publicly signed and recognised, e.g. via LetsEncrypt.

Steps to reproduce

In both auth_ldap.ini and rcpt_to.ldap.ini:

server=ldaps://ldap.jail.vlan

creates LDAP TLS errors. In slapd.conf, security has to be disabled, and in the above configuration files "ldaps" has to be replaced with "ldap" for authentication to work.
The following configuration, however, work with Dovecot on the same server instance, connecting to a remote OpenLDAP server instance:
slapd.conf:

# Global SSL/TLS configuration:
# self-signed CA certificate
TLSCACertificateFile            /etc/ssl/cacerts/ca.jail.vlan.cacert.pem
# self-signed certificate
TLSCertificateFile              /etc/ssl/certs/ldap.jail.vlan.cert.pem
# corresponding private key
# We only want to communicate LDAP data to certified clients
# Works with Dovekot, but not with Haraka, had to be commented out
#TLSVerifyClient                demand
# Reject connections to clients with certificates that cannot be verified;
# accept clients with no certificate
# Had to be uncommented to work with Haraka
TLSVerifyClient                 try

# Security restrictions
# Require 256-bit encryption for all connections
# Had to be uncommented to work with Haraka, though it works with Dovecot
#security ssf=256

Local ldap.conf client TLS configuration:

# SSL/TLS configuration, works with Dovekot, but now irrelevant,
# as SSL/TLS had to be disabled for Haraka
# Self-signed local CA
TLS_CACERT      /etc/ssl/cacerts/ca.jail.vlan.cacert.pem
TLS_REQCERT     demand

Rationale:
We do want to encrypt connections to our central OpenLDAP server used for user authentication. This server ius not publicly accessible, and therefore does not have any LetsEncrypt certificates, and we use self-signed certificates with a local CA instead.
This all works like a charm with Dovecot, but Haraka seems to insist on "proper" certificates. While with is cool for certificates for SMTP and IMAP, where we have FQDN for the mail server, no such thing is available for the non-public OpenLDAP server. Therefore, self-signed certificates should be acceptable for LDAP purposes.
What do you think, or ma I missing something?
Thank you!
Chris