Fail to test uid of OpenLDAP with TLS...

Dan White dwhite at olp.net
Tue May 24 15:44:00 EDT 2011 

On 24/05/11 20:50 +0700, Nguyen, Quoc Khanh wrote:
> Hi all,
> I'm trying to get SASL working with OpenLDAP + TLS. I got it
>working without TLS with these settings:
>
> slapd.conf:
> ----------
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCACertificateFile /var/myCA/cacert.crt
> TLSCertificateFile /var/myCA/server_crt.pem
>
> TLSCertificateKeyFile /var/myCA/server_key.pem
>
> # Use the following if client authentication is required
> #TLSVerifyClient demand
> # ... or not desired at all
> TLSVerifyClient never

What '-h' parameter are you starting slapd with?

> saslauthd.conf:
> ldap_servers: ldaps://localhost
> ldap_bind_dn: cn=admin,dc=abc,dc=com
> ldap_bind_pw: 123456789
> ldap_search_base: dc=abc,dc=com
>
> This works great with testsaslauthd:
> root at ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq
> -p 1234560:
> OK "Success."
>
> However, when I add these lines to saslauthd.conf, it fails:
> ldap_start_tls: yes
> ldap_tls_cacert_dir: /var/myCA
> ldap_tls_cacert_file: /var/myCA/cacert.crt
> ldap_tls_cert: /var/myCA/server_crt.pem
> ldap_tls_key: /var/myCA/server_key.pem

You should change:
     ldap_servers: ldaps://localhost
to
     ldap_servers: ldap://localhost

when using starttls, and you should verify that you're starting slapd with
'ldap:///' as one of your -h URLs.

In your slapd config, you specified 'TLSVerifyClient never' (no client
authentication), but in your saslauthd.conf, you've specified a cert and a
key. Do you intend to do client TLS authentication? If not, those two lines
should not be needed.

For more information, see 'saslauthd/LDAP_SASLAUTHD' within the cyrus sasl
source, and slapd.conf(5).

>root at ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
> 0:
>NO "authentication failed"
>
> When i checked /var/log/auth.log, i got a messages:
> May 24 16:27:49 ldap saslauthd[870]: detach_tty : master pid is: 870
> May 24 16:27:49 ldap saslauthd[870]: ipc_init : listening on socket:
> /var/run/mux
> May 24 16:28:13 ldap saslauthd[870]: start tls failed (Can't contact LDAP
> server).
> May 24 16:28:13 ldap saslauthd[870]: Authentication failed for khanhnq:
> Cannot connect to ldap server (configuration error) $
>
>May 24 16:28:13 ldap saslauthd[870]: do_auth : auth failure: [user=khanhnq]
>[service=imap] [realm=] [mech=ldap] [reason=Unknown]

-- 
Dan White

More information about the Cyrus-sasl mailing list