Hi,
I have problems to get saslauthd to work with my openldap server:
- saslauthd binds/autneticates if I connect to the non SSL port ldap://ldap.cs.ait.ac.th/
- saslauthd fails to bind/autneticate if I connect to the SSL port ldaps://ldap.cs.ait.ac.th/
Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 ACCEPT from IP=192.41.170.50:62502 (IP=192.41.170.6:636) Jul 23 12:02:00 ldap slapd[41289]: connection_closing: readying conn=22 sd=19 for close Jul 23 12:02:00 ldap slapd[41289]: connection_close: conn=22 sd=-1 Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 closed (TLS negotiation failure)
I really don't know where to look.
TIA,
Olivier
Olivier Nicole on@cs.ait.ac.th writes:
Hi,
I have problems to get saslauthd to work with my openldap server:
saslauthd binds/autneticates if I connect to the non SSL port ldap://ldap.cs.ait.ac.th/
saslauthd fails to bind/autneticate if I connect to the SSL port ldaps://ldap.cs.ait.ac.th/
[...]
Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 closed (TLS negotiation failure)
I really don't know where to look.
Look at cn=config and present the TLS configuration attributes. ldapsearch -x -D binddn -w secret -H ldap://ldaphost -b cn=config -s base "*" And look at your clients ldap configuration.
-Dieter
Hi,
Look at cn=config and present the TLS configuration attributes. ldapsearch -x -D binddn -w secret -H ldap://ldaphost -b cn=config -s base "*"
ldapsearch -x -D cn=Manager,dc=cs,dc=ait,dc=ac,dc=th -w **** -H ldap://ldap.cs.ait.ac.th/ -b cn=config -s base "*" # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: * #
# search result search: 2 result: 50 Insufficient access
# numResponses: 1
So far it does not work, but I never tried to access something like cn=config
The I used to bind is the rootdn.
Best regards,
Olivier
Olivier Nicole on@cs.ait.ac.th writes:
Hi,
Look at cn=config and present the TLS configuration attributes. ldapsearch -x -D binddn -w secret -H ldap://ldaphost -b cn=config -s base "*"
ldapsearch -x -D cn=Manager,dc=cs,dc=ait,dc=ac,dc=th -w **** -H ldap://ldap.cs.ait.ac.th/ -b cn=config -s base "*" # extended LDIF # # LDAPv3 # base <cn=config> with scope baseObject # filter: (objectclass=*) # requesting: * #
# search result search: 2 result: 50 Insufficient access
# numResponses: 1
So far it does not work, but I never tried to access something like cn=config
The I used to bind is the rootdn.
The default rootdn is cn=config. The rootdn you tried to bind with is the rootdn of your bdb/hdb database.
-Dieter
Olivier Nicole on@cs.ait.ac.th writes:
Dieter,
The default rootdn is cn=config. The rootdn you tried to bind with is the rootdn of your bdb/hdb database.
You have me completely lost.
I cannot bind to cs=config I guess, I never set any password for that and I don't know what to set.
http://www.openldap.org/doc/admin24/slapdconf2.html
-Dieter
Dieter,
I cannot bind to cs=config I guess, I never set any password for that and I don't know what to set.
Now I understand. On freeBSD, for some reason, the port of OpenLdap does not mention the new configuration style and only rely on the old slaps.conf configuration.
So that's what I am using.
I beleive the equivalent of cn=conf would be the following extract from my slapd.conf file:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/csim.schema include /usr/local/etc/openldap/schema/radius.schema include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb
security ssf=0 update_tls=128 simple_bind=128 #security ssf=0 update_tls=128 simple_bind=128
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSRandFile /dev/random TLSCertificateFile /usr/local/ssl/crt/ldap.cs.ait.ac.th.crt TLSCertificateKeyFile /usr/local/ssl/key/ldap.cs.ait.ac.th.key TLSCACertificateFile /usr/local/ssl/ca/ca-bundle.crt
Then comes the database.
Now, how could that explain the bind problem with saslauthd?
Best regards,
Olivier
Olivier Nicole on@cs.ait.ac.th writes:
Dieter,
I cannot bind to cs=config I guess, I never set any password for that and I don't know what to set.
Now I understand. On freeBSD, for some reason, the port of OpenLdap does not mention the new configuration style and only rely on the old slaps.conf configuration.
So that's what I am using.
I beleive the equivalent of cn=conf would be the following extract from my slapd.conf file:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/csim.schema include /usr/local/etc/openldap/schema/radius.schema include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb
security ssf=0 update_tls=128 simple_bind=128 #security ssf=0 update_tls=128 simple_bind=128
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSRandFile /dev/random TLSCertificateFile /usr/local/ssl/crt/ldap.cs.ait.ac.th.crt TLSCertificateKeyFile /usr/local/ssl/key/ldap.cs.ait.ac.th.key TLSCACertificateFile /usr/local/ssl/ca/ca-bundle.crt
Then comes the database.
To add authenticated access to a runtime cn=config database add, prior to any other database, database config rootpw secret to slapd.conf
Now, how could that explain the bind problem with saslauthd?
As there is a TLS negociation failure, - check the TLS configuration of saslauthd, - is your CA contaianed in ca-bundle.crt ? - can saslauthd read ca-bundle.crt? - what is the commonName valaue in certificateFile? - what is the output of openssl s_client -connect ldaphost:636 -showcerts
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Olivier Nicole