Fail to test uid of OpenLDAP with TLS...
Nguyen, Quoc Khanh
khanhnq at saigontech.edu.vn
Tue May 24 23:12:30 EDT 2011
Thanks for your reply. Following your information, i changed
saslauthd.conf:
ldap_servers: ldap://localhost
ldap_bind_dn: cn=admin,dc=abc,dc=com
ldap_bind_pw: 123456789
ldap_search_base: dc=abc,dc=com
ldap_start_tls: yes
ldap_tls_cacert_dir: /var/myCA
ldap_tls_cacert_file: /var/myCA/cacert.crt
and i started OpenLDAP with parameter:
root at ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:///'
but it failed... too.
I mean that i just want to encrypt a traffic connection between Cyrus SASL
and OpenLDAP. So that i will config is:
start OpenLDAP with parameter:
root at ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:/// ldaps:///" ( I
want to use both 389 and 636 ports)
saslauthd.conf:
ldap_servers: ldaps://localhost
ldap_bind_dn: cn=admin,dc=abc,dc=com
ldap_bind_pw: 123456789
ldap_search_base: dc=abc,dc=com
Is that correct way?
Best Regards,
--
***********************************
EVERYTHING HAS JUST BEGUN...
On Tue, 24 May 2011 14:44:00 -0500, Dan White <dwhite at olp.net> wrote:
> On 24/05/11 20:50 +0700, Nguyen, Quoc Khanh wrote:
>> Hi all,
>> I'm trying to get SASL working with OpenLDAP + TLS. I got it
>>working without TLS with these settings:
>>
>> slapd.conf:
>> ----------
>>
>> TLSCipherSuite HIGH:MEDIUM:+SSLv3
>> TLSCACertificateFile /var/myCA/cacert.crt
>> TLSCertificateFile /var/myCA/server_crt.pem
>>
>> TLSCertificateKeyFile /var/myCA/server_key.pem
>>
>> # Use the following if client authentication is required
>> #TLSVerifyClient demand
>> # ... or not desired at all
>> TLSVerifyClient never
>
> What '-h' parameter are you starting slapd with?
>
>> saslauthd.conf:
>> ldap_servers: ldaps://localhost
>> ldap_bind_dn: cn=admin,dc=abc,dc=com
>> ldap_bind_pw: 123456789
>> ldap_search_base: dc=abc,dc=com
>>
>> This works great with testsaslauthd:
>> root at ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq
>> -p 1234560:
>> OK "Success."
>>
>> However, when I add these lines to saslauthd.conf, it fails:
>> ldap_start_tls: yes
>> ldap_tls_cacert_dir: /var/myCA
>> ldap_tls_cacert_file: /var/myCA/cacert.crt
>> ldap_tls_cert: /var/myCA/server_crt.pem
>> ldap_tls_key: /var/myCA/server_key.pem
>
> You should change:
> ldap_servers: ldaps://localhost
> to
> ldap_servers: ldap://localhost
>
> when using starttls, and you should verify that you're starting slapd
with
> 'ldap:///' as one of your -h URLs.
>
> In your slapd config, you specified 'TLSVerifyClient never' (no client
> authentication), but in your saslauthd.conf, you've specified a cert and
a
> key. Do you intend to do client TLS authentication? If not, those two
lines
> should not be needed.
>
> For more information, see 'saslauthd/LDAP_SASLAUTHD' within the cyrus
sasl
> source, and slapd.conf(5).
>
>>root at ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
>> 0:
>>NO "authentication failed"
>>
>> When i checked /var/log/auth.log, i got a messages:
>> May 24 16:27:49 ldap saslauthd[870]: detach_tty : master pid is: 870
>> May 24 16:27:49 ldap saslauthd[870]: ipc_init : listening on socket:
>> /var/run/mux
>> May 24 16:28:13 ldap saslauthd[870]: start tls failed (Can't contact
LDAP
>> server).
>> May 24 16:28:13 ldap saslauthd[870]: Authentication failed for khanhnq:
>> Cannot connect to ldap server (configuration error) $
>>
>>May 24 16:28:13 ldap saslauthd[870]: do_auth : auth failure:
>>[user=khanhnq]
>>[service=imap] [realm=] [mech=ldap] [reason=Unknown]
More information about the Cyrus-sasl
mailing list