Thanks for your reply. Following your information, i changed saslauthd.conf: ldap_servers: ldap://localhost ldap_bind_dn: cn=admin,dc=abc,dc=com ldap_bind_pw: 123456789 ldap_search_base: dc=abc,dc=com ldap_start_tls: yes ldap_tls_cacert_dir: /var/myCA ldap_tls_cacert_file: /var/myCA/cacert.crt and i started OpenLDAP with parameter: root@ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:///' but it failed... too. I mean that i just want to encrypt a traffic connection between Cyrus SASL and OpenLDAP. So that i will config is: start OpenLDAP with parameter: root@ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:/// ldaps:///" ( I want to use both 389 and 636 ports) saslauthd.conf: ldap_servers: ldaps://localhost ldap_bind_dn: cn=admin,dc=abc,dc=com ldap_bind_pw: 123456789 ldap_search_base: dc=abc,dc=com Is that correct way? Best Regards, -- *********************************** EVERYTHING HAS JUST BEGUN... On Tue, 24 May 2011 14:44:00 -0500, Dan White <dwhite@xxxxxxx> wrote: > On 24/05/11Â20:50Â+0700, Nguyen, Quoc Khanh wrote: >> Hi all, >> I'm trying to get SASL working with OpenLDAP + TLS. I got it >>working without TLS with these settings: >> >> slapd.conf: >> ---------- >> >> TLSCipherSuite HIGH:MEDIUM:+SSLv3 >> TLSCACertificateFile /var/myCA/cacert.crt >> TLSCertificateFile /var/myCA/server_crt.pem >> >> TLSCertificateKeyFile /var/myCA/server_key.pem >> >> # Use the following if client authentication is required >> #TLSVerifyClient demand >> # ... or not desired at all >> TLSVerifyClient never > > What '-h' parameter are you starting slapd with? > >> saslauthd.conf: >> ldap_servers: ldaps://localhost >> ldap_bind_dn: cn=admin,dc=abc,dc=com >> ldap_bind_pw: 123456789 >> ldap_search_base: dc=abc,dc=com >> >> This works great with testsaslauthd: >> root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq >> -p 1234560: >> OK "Success." >> >> However, when I add these lines to saslauthd.conf, it fails: >> ldap_start_tls: yes >> ldap_tls_cacert_dir: /var/myCA >> ldap_tls_cacert_file: /var/myCA/cacert.crt >> ldap_tls_cert: /var/myCA/server_crt.pem >> ldap_tls_key: /var/myCA/server_key.pem > > You should change: > ldap_servers: ldaps://localhost > to > ldap_servers: ldap://localhost > > when using starttls, and you should verify that you're starting slapd with > 'ldap:///' as one of your -h URLs. > > In your slapd config, you specified 'TLSVerifyClient never' (no client > authentication), but in your saslauthd.conf, you've specified a cert and a > key. Do you intend to do client TLS authentication? If not, those two lines > should not be needed. > > For more information, see 'saslauthd/LDAP_SASLAUTHD' within the cyrus sasl > source, and slapd.conf(5). > >>root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456 >> 0: >>NO "authentication failed" >> >> When i checked /var/log/auth.log, i got a messages: >> May 24 16:27:49 ldap saslauthd[870]: detach_tty : master pid is: 870 >> May 24 16:27:49 ldap saslauthd[870]: ipc_init : listening on socket: >> /var/run/mux >> May 24 16:28:13 ldap saslauthd[870]: start tls failed (Can't contact LDAP >> server). >> May 24 16:28:13 ldap saslauthd[870]: Authentication failed for khanhnq: >> Cannot connect to ldap server (configuration error) $ >> >>May 24 16:28:13 ldap saslauthd[870]: do_auth : auth failure: >>[user=khanhnq] >>[service=imap] [realm=] [mech=ldap] [reason=Unknown]
