Saslauthd with ldaps

[Paul van der Vlis]

Igor Brezac schreef:
> 
> On Wed, 1 Jun 2005, Paul van der Vlis wrote:
> 
>> Hello,
>>
>> I want to authentifate to a Novell NDS from saslauthd on a Debian Sarge
>> machine.
>>
>> This works fine:
>> ldapsearch -x -b "cn=paulvdv,o=wlg" -D "cn=paulvdv,o=wlg"
>>    -w secret -H ldaps://firewall.domain.nl:636
>>
>> This is my saslauthd.conf:
>> --------
>> ldap_servers: ldaps://firewall.domain.nl:636/
>> ldap_tls_cert: /home/paul/.cert/cacert.pem
>> ldap_tls_key: /home/paul/.cert/privkey.pem
> 
> It appears you are specifying ca cert as the client cert.  Is this what
> you want?  

No, I want to authentificate over an encrypted connection, that's all.

> Your configuration does not require client cert so you should
> remove those params.  Perhaps you wanted to specify
> ldap_tls_cacert_(file|dir)?

We have it working now with something like:

--------
ldap_servers: ldaps://firewall.domain.nl/
ldap_auth_method: fastbind
ldap_tls_cacert_file: /path/to/rootcert.pem
ldap_filter: cn=%u,o=wlg
--------

The rootcert.pem is the root-certificate of the Novell server.

A problem is: there are 2 Novell servers what are together the
e-directory, can we use 2 root-certificates?

>> ldap_search_base: cn=paulvdv,o=wlg
>> ldap_filter: cn=%u,o=wlg
> 
> Have you tried this filter in the ldapsearch above?  This does not look
> right.

We've removed the ldap_search_base and added the fastbind, this looks right.

Thanks for your help. If you think it could be better, please tell...

With regards,
Paul van der Vlis.





---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html