Re: Fail to test uid of OpenLDAP with TLS...

"Nguyen, Quoc Khanh" <khanhnq@xxxxxxxxxxxxxxxxx> · Thu, 26 May 2011 16:50:38 +0700

Oh, my god... It's failed... too. When i checked TLS/SSL by ldapsearch and
it worked OK... 
I... I'm so confusing about this problem. After relax for a while, i
decide to go back for your way: use STARTTLS. And when i tested for many
times, i have a result:

root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: NO "authentication failed"
root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: OK "Success."
root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: NO "authentication failed"
root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: NO "authentication failed"
root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: OK "Success."
root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: NO "authentication failed"
root@ldap:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: OK "Success."

Do you have any ideas? Please help...

Best Regards,

-- 
***********************************
    EVERYTHING HAS JUST BEGUN...

On Wed, 25 May 2011 09:08:23 -0500, Dan White <dwhite@xxxxxxx> wrote:
> On 25/05/11Â10:12Â+0700, Nguyen, Quoc Khanh wrote:
>>Thanks for your reply. Following your information, i changed
>>saslauthd.conf:
>>
>>ldap_servers: ldap://localhost
>>ldap_bind_dn: cn=admin,dc=abc,dc=com
>>ldap_bind_pw: 123456789
>>ldap_search_base: dc=abc,dc=com
>>ldap_start_tls: yes
>>ldap_tls_cacert_dir: /var/myCA
>>ldap_tls_cacert_file: /var/myCA/cacert.crt
>>
>>and i started OpenLDAP with parameter:
>>
>>root@ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:///'
>>
>>but it failed... too.
>>
>>I mean that i just want to encrypt a traffic connection between Cyrus
SASL
>>and OpenLDAP. So that i will config is:
>>
>>start OpenLDAP with parameter:
>>
>>root@ldap:/usr/local/openldap/libexec# ./slapd -h 'ldap:/// ldaps:///" (
I
>>want to use both 389 and 636 ports)
>>
>>saslauthd.conf:
>>
>>ldap_servers: ldaps://localhost
>>ldap_bind_dn: cn=admin,dc=abc,dc=com
>>ldap_bind_pw: 123456789
>>ldap_search_base: dc=abc,dc=com
>>
>>Is that correct way?
> 
> If ldaps:/// should work just as well.. starttls would just be another
way
> to accomplish the same thing.
> 
> You might also need 'ldap_tls_check_peer: yes'. The documentation is
> unclear if that's needed for both ldaps:/// and starttls over ldap:///.