[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and dadlauthd

To: openldap-technical@openldap.org
Subject: Re: openldap and dadlauthd
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Fri, 24 Jul 2009 09:02:50 +0200
In-reply-to: <200907240156.n6O1uqWw061479@banyan.cs.ait.ac.th> (Olivier Nicole's message of "Fri, 24 Jul 2009 08:56:52 +0700 (ICT)")
References: <200907230558.n6N5wxR0049840@banyan.cs.ait.ac.th> <87tz13vnpt.fsf@rubin.avci.de> <200907230857.n6N8vPfl053179@banyan.cs.ait.ac.th> <x6my6vogrx.fsf@dkluenter.de> <200907231047.n6NAlhfr054347@banyan.cs.ait.ac.th> <87prbrlkrq.fsf@rubin.avci.de> <200907240156.n6O1uqWw061479@banyan.cs.ait.ac.th>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Olivier Nicole <on@cs.ait.ac.th> writes:

> Dieter,
>
>> > I cannot bind to cs=config I guess, I never set any password for that
>> > and I don't know what to set.
>> http://www.openldap.org/doc/admin24/slapdconf2.html
>
> Now I understand. On freeBSD, for some reason, the port of OpenLdap
> does not mention the new configuration style and only rely on the old
> slaps.conf configuration.
>
> So that's what I am using.
>
> I beleive the equivalent of cn=conf would be the following extract
> from my slapd.conf file:
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include		/usr/local/etc/openldap/schema/core.schema
> include		/usr/local/etc/openldap/schema/cosine.schema
> include		/usr/local/etc/openldap/schema/corba.schema
> include		/usr/local/etc/openldap/schema/dyngroup.schema
> include		/usr/local/etc/openldap/schema/inetorgperson.schema
> include		/usr/local/etc/openldap/schema/java.schema
> include		/usr/local/etc/openldap/schema/misc.schema
> include		/usr/local/etc/openldap/schema/nis.schema
> include		/usr/local/etc/openldap/schema/openldap.schema
> include		/usr/local/etc/openldap/schema/csim.schema
> include		/usr/local/etc/openldap/schema/radius.schema
> include		/usr/local/etc/openldap/schema/samba.schema
>
> pidfile		/var/run/openldap/slapd.pid
> argsfile	/var/run/openldap/slapd.args
>
> # Load dynamic backend modules:
> modulepath	/usr/local/libexec/openldap
> moduleload	back_bdb
>
> security ssf=0 update_tls=128 simple_bind=128
> #security ssf=0 update_tls=128 simple_bind=128
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSRandFile /dev/random
> TLSCertificateFile /usr/local/ssl/crt/ldap.cs.ait.ac.th.crt
> TLSCertificateKeyFile /usr/local/ssl/key/ldap.cs.ait.ac.th.key
> TLSCACertificateFile /usr/local/ssl/ca/ca-bundle.crt
>
> Then comes the database.

To add authenticated access to a runtime cn=config database add, prior to
any other database,
database config
rootpw secret 
to slapd.conf
> Now, how could that explain the bind problem with saslauthd?

As there is a TLS negociation failure, 
- check the TLS configuration of saslauthd, 
- is your CA contaianed in ca-bundle.crt ?
- can saslauthd read ca-bundle.crt?
- what is the commonName valaue in certificateFile?
- what is the output of
  openssl s_client -connect ldaphost:636 -showcerts

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

References:
- openldap and dadlauthd
  - From: Olivier Nicole <on@cs.ait.ac.th>
- Re: openldap and dadlauthd
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: openldap and dadlauthd
  - From: Olivier Nicole <on@cs.ait.ac.th>
- Re: openldap and dadlauthd
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: openldap and dadlauthd
  - From: Olivier Nicole <on@cs.ait.ac.th>
- Re: openldap and dadlauthd
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: openldap and dadlauthd
  - From: Olivier Nicole <on@cs.ait.ac.th>

Prev by Date: Re: openldap and dadlauthd
Next by Date: Re: access control
Index(es):
- Chronological
- Thread