Re: Fail to test uid of OpenLDAP with TLS...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for your reply. Following your information, i changed
saslauthd.conf:

ldap_servers: ldap://localhost
ldap_bind_dn: cn=admin,dc=abc,dc=com
ldap_bind_pw: 123456789
ldap_search_base: dc=abc,dc=com
ldap_start_tls: yes
ldap_tls_cacert_dir: /var/myCA
ldap_tls_cacert_file: /var/myCA/cacert.crt

and i started OpenLDAP with parameter:

root@ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:///'

but it failed... too.

I mean that i just want to encrypt a traffic connection between Cyrus SASL
and OpenLDAP. So that i will config is:

start OpenLDAP with parameter:

root@ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:/// ldaps:///" ( I
want to use both 389 and 636 ports)

saslauthd.conf:

ldap_servers: ldaps://localhost
ldap_bind_dn: cn=admin,dc=abc,dc=com
ldap_bind_pw: 123456789
ldap_search_base: dc=abc,dc=com

Is that correct way?

Best Regards,
-- 
***********************************
    EVERYTHING HAS JUST BEGUN...

On Tue, 24 May 2011 14:44:00 -0500, Dan White <dwhite@xxxxxxx> wrote:
> On 24/05/11Â20:50Â+0700, Nguyen, Quoc Khanh wrote:
>> Hi all,
>> I'm trying to get SASL working with OpenLDAP + TLS. I got it
>>working without TLS with these settings:
>>
>> slapd.conf:
>> ----------
>>
>> TLSCipherSuite HIGH:MEDIUM:+SSLv3
>> TLSCACertificateFile /var/myCA/cacert.crt
>> TLSCertificateFile /var/myCA/server_crt.pem
>>
>> TLSCertificateKeyFile /var/myCA/server_key.pem
>>
>> # Use the following if client authentication is required
>> #TLSVerifyClient demand
>> # ... or not desired at all
>> TLSVerifyClient never
> 
> What '-h' parameter are you starting slapd with?
> 
>> saslauthd.conf:
>> ldap_servers: ldaps://localhost
>> ldap_bind_dn: cn=admin,dc=abc,dc=com
>> ldap_bind_pw: 123456789
>> ldap_search_base: dc=abc,dc=com
>>
>> This works great with testsaslauthd:
>> root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq
>> -p 1234560:
>> OK "Success."
>>
>> However, when I add these lines to saslauthd.conf, it fails:
>> ldap_start_tls: yes
>> ldap_tls_cacert_dir: /var/myCA
>> ldap_tls_cacert_file: /var/myCA/cacert.crt
>> ldap_tls_cert: /var/myCA/server_crt.pem
>> ldap_tls_key: /var/myCA/server_key.pem
> 
> You should change:
>      ldap_servers: ldaps://localhost
> to
>      ldap_servers: ldap://localhost
> 
> when using starttls, and you should verify that you're starting slapd
with
> 'ldap:///' as one of your -h URLs.
> 
> In your slapd config, you specified 'TLSVerifyClient never' (no client
> authentication), but in your saslauthd.conf, you've specified a cert and
a
> key. Do you intend to do client TLS authentication? If not, those two
lines
> should not be needed.
> 
> For more information, see 'saslauthd/LDAP_SASLAUTHD' within the cyrus
sasl
> source, and slapd.conf(5).
> 
>>root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
>> 0:
>>NO "authentication failed"
>>
>> When i checked /var/log/auth.log, i got a messages:
>> May 24 16:27:49 ldap saslauthd[870]: detach_tty : master pid is: 870
>> May 24 16:27:49 ldap saslauthd[870]: ipc_init : listening on socket:
>> /var/run/mux
>> May 24 16:28:13 ldap saslauthd[870]: start tls failed (Can't contact
LDAP
>> server).
>> May 24 16:28:13 ldap saslauthd[870]: Authentication failed for khanhnq:
>> Cannot connect to ldap server (configuration error) $
>>
>>May 24 16:28:13 ldap saslauthd[870]: do_auth : auth failure:
>>[user=khanhnq]
>>[service=imap] [realm=] [mech=ldap] [reason=Unknown]


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux