Olivier Nicole on@cs.ait.ac.th writes:
Dieter,
I cannot bind to cs=config I guess, I never set any password for that and I don't know what to set.
Now I understand. On freeBSD, for some reason, the port of OpenLdap does not mention the new configuration style and only rely on the old slaps.conf configuration.
So that's what I am using.
I beleive the equivalent of cn=conf would be the following extract from my slapd.conf file:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/csim.schema include /usr/local/etc/openldap/schema/radius.schema include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb
security ssf=0 update_tls=128 simple_bind=128 #security ssf=0 update_tls=128 simple_bind=128
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSRandFile /dev/random TLSCertificateFile /usr/local/ssl/crt/ldap.cs.ait.ac.th.crt TLSCertificateKeyFile /usr/local/ssl/key/ldap.cs.ait.ac.th.key TLSCACertificateFile /usr/local/ssl/ca/ca-bundle.crt
Then comes the database.
To add authenticated access to a runtime cn=config database add, prior to any other database, database config rootpw secret to slapd.conf
Now, how could that explain the bind problem with saslauthd?
As there is a TLS negociation failure, - check the TLS configuration of saslauthd, - is your CA contaianed in ca-bundle.crt ? - can saslauthd read ca-bundle.crt? - what is the commonName valaue in certificateFile? - what is the output of openssl s_client -connect ldaphost:636 -showcerts
-Dieter