[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and dadlauthd



Olivier Nicole <on@cs.ait.ac.th> writes:

> Dieter,
>
>> > I cannot bind to cs=config I guess, I never set any password for that
>> > and I don't know what to set.
>> http://www.openldap.org/doc/admin24/slapdconf2.html
>
> Now I understand. On freeBSD, for some reason, the port of OpenLdap
> does not mention the new configuration style and only rely on the old
> slaps.conf configuration.
>
> So that's what I am using.
>
> I beleive the equivalent of cn=conf would be the following extract
> from my slapd.conf file:
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include		/usr/local/etc/openldap/schema/core.schema
> include		/usr/local/etc/openldap/schema/cosine.schema
> include		/usr/local/etc/openldap/schema/corba.schema
> include		/usr/local/etc/openldap/schema/dyngroup.schema
> include		/usr/local/etc/openldap/schema/inetorgperson.schema
> include		/usr/local/etc/openldap/schema/java.schema
> include		/usr/local/etc/openldap/schema/misc.schema
> include		/usr/local/etc/openldap/schema/nis.schema
> include		/usr/local/etc/openldap/schema/openldap.schema
> include		/usr/local/etc/openldap/schema/csim.schema
> include		/usr/local/etc/openldap/schema/radius.schema
> include		/usr/local/etc/openldap/schema/samba.schema
>
> pidfile		/var/run/openldap/slapd.pid
> argsfile	/var/run/openldap/slapd.args
>
> # Load dynamic backend modules:
> modulepath	/usr/local/libexec/openldap
> moduleload	back_bdb
>
> security ssf=0 update_tls=128 simple_bind=128
> #security ssf=0 update_tls=128 simple_bind=128
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSRandFile /dev/random
> TLSCertificateFile /usr/local/ssl/crt/ldap.cs.ait.ac.th.crt
> TLSCertificateKeyFile /usr/local/ssl/key/ldap.cs.ait.ac.th.key
> TLSCACertificateFile /usr/local/ssl/ca/ca-bundle.crt
>
> Then comes the database.

To add authenticated access to a runtime cn=config database add, prior to
any other database,
database config
rootpw secret 
to slapd.conf
> Now, how could that explain the bind problem with saslauthd?

As there is a TLS negociation failure, 
- check the TLS configuration of saslauthd, 
- is your CA contaianed in ca-bundle.crt ?
- can saslauthd read ca-bundle.crt?
- what is the commonName valaue in certificateFile?
- what is the output of
  openssl s_client -connect ldaphost:636 -showcerts

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E