subject:"sasl 2.1.9 \+ LDAPS problem"

Re: sasl 2.1.9 + LDAPS problem

2002-10-19 Thread Kervin L. Pierre

Did you say ldapsearch worked on the commandline?

'-d -1' if you want all the debug info.

You can also use the openssl commands s_server and s_client for 
debugging ldaps.  That's probably more helpful then ethereal.  'man 
s_server' and 'man s_client' for more info.

PS. For speed, if you have a busy mail server or you're paying for the 
bandwidth ldap uses, how about running a replica on your mail server and 
have saslauthd use '-H ldap://127.0.0.1/' or 'ldapi://' to connect to 
it.  You can use ldaps for replication.  This should speed-up your 
config considerably.

--Kervin


Igor Brezac wrote:
On Wed, 16 Oct 2002, Felix Cuello wrote:



Here are the stdout of slapd. What do you think?




Hmmm, unfortunately this is not telling me much.  It indicates that a
connection came in, but it is not an ldaps session.  Did you run a
saslauthd/ldaps session?  You should see a lot more debug info including
TLS trace.

I just tested saslauthd/ldaps on sasl-2.1.9 and it works fine.  I used
openldap 2.1.6 (server and API) which should be more difficult to setup
because openldap 2.1 API verifies the server ceritifcate and 2.0 does not.
Someone please correct me if I am wrong. ;)

-Igor




thanks for your time and patience!

Felix



@(#) $OpenLDAP: slapd 2.0.23-Release (Thu Feb 21 12:43:53 EST 2002) $
   [EMAIL PROTECTED]:/usr/src/build/73902-i386/BUILD/openldap-2.0.23/build-krb5/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
ldap_pvt_gethostbyname_a: host=upsoluciones, r=0
daemon: conn=0 fd=10 connection from IP=200.69.213.9:1478
(IP=0.0.0.0:31746) accepted.




---
Felix Cuello <[EMAIL PROTECTED]>
Qodiga/its   

/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
X
/ \
---

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Igor Brezac

On Wed, 16 Oct 2002, Felix Cuello wrote:

> Here are the stdout of slapd. What do you think?
>

Hmmm, unfortunately this is not telling me much.  It indicates that a
connection came in, but it is not an ldaps session.  Did you run a
saslauthd/ldaps session?  You should see a lot more debug info including
TLS trace.

I just tested saslauthd/ldaps on sasl-2.1.9 and it works fine.  I used
openldap 2.1.6 (server and API) which should be more difficult to setup
because openldap 2.1 API verifies the server ceritifcate and 2.0 does not.
Someone please correct me if I am wrong. ;)

-Igor

> thanks for your time and patience!
>
> Felix
>
> 
>
> @(#) $OpenLDAP: slapd 2.0.23-Release (Thu Feb 21 12:43:53 EST 2002) $
> 
>[EMAIL PROTECTED]:/usr/src/build/73902-i386/BUILD/openldap-2.0.23/build-krb5/servers/slapd
> daemon_init: listen on ldap:///
> daemon_init: listen on ldaps:///
> daemon_init: 2 listeners to open...
> ldap_url_parse_ext(ldap:///)
> daemon: socket() failed errno=97 (Address family not supported by protocol)
> daemon: initialized ldap:///
> ldap_url_parse_ext(ldaps:///)
> daemon: socket() failed errno=97 (Address family not supported by protocol)
> daemon: initialized ldaps:///
> daemon_init: 2 listeners opened
> slapd init: initiated server.
> slap_sasl_init: initialized!
> slapd startup: initiated.
> slapd starting
> ldap_pvt_gethostbyname_a: host=upsoluciones, r=0
> daemon: conn=0 fd=10 connection from IP=200.69.213.9:1478
> (IP=0.0.0.0:31746) accepted.
>
>
>
>
> ---
>  Felix Cuello <[EMAIL PROTECTED]>
>  Qodiga/its   
>
> /"\  ASCII Ribbon Campaign
> \ /  No HTML in mail or news!
>  X
> / \
> ---
>
>
>
>

-- 
Igor

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Igor Brezac



Sorry about this.  This was not very useful.
Use
slapd -d 257 -h "ldap:/// ldaps:///"

-Igor

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Felix Cuello


Here are the stdout of slapd. What do you think?

thanks for your time and patience!

Felix



@(#) $OpenLDAP: slapd 2.0.23-Release (Thu Feb 21 12:43:53 EST 2002) $

[EMAIL PROTECTED]:/usr/src/build/73902-i386/BUILD/openldap-2.0.23/build-krb5/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
ldap_pvt_gethostbyname_a: host=upsoluciones, r=0
daemon: conn=0 fd=10 connection from IP=200.69.213.9:1478
(IP=0.0.0.0:31746) accepted.




---
 Felix Cuello <[EMAIL PROTECTED]>
 Qodiga/its   

/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
 X
/ \
---

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Felix Cuello


That's all for LDAPS with SASLAUTHD and slapd -d 8 -h "ldap:/// ldaps:///"

daemon: activity on 1 descriptors
daemon: new connection on 10
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL


That's all for LDAP with SASLAUTHD and slapd -d 8 -h "ldap:/// ldaps:///"

daemon: activity on 1 descriptors
daemon: new connection on 10
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
ber_flush: 14 bytes to sd 10
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
ber_flush: 667 bytes to sd 10
ber_flush: 14 bytes to sd 10
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
daemon: select: listen=6 active_threads=2 tvp=NULL
daemon: select: listen=7 active_threads=2 tvp=NULL
ber_flush: 14 bytes to sd 10
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
daemon: select: listen=6 active_threads=2 tvp=NULL
daemon: select: listen=7 active_threads=2 tvp=NULL
ber_flush: 14 bytes to sd 10


Sorry for the long post

Felix


---
 Felix Cuello <[EMAIL PROTECTED]>
 Qodiga/its   

/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
 X
/ \
---

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Igor Brezac



On Wed, 16 Oct 2002, Felix Cuello wrote:

> Well...
>
>I'm trying now to start slapd with -d 8, but I have a little problem to
> start ldaps, because running daemon directly from command line ldaps
> doesn't start, but works if I run from ldap script...
> [when I resolve this problem I will send openldap logfile]
>

Try

slapd -d 8 -h "ldap:/// ldaps:///"

>But... I was tried this:
>
>Sniffing connections using ethereal I see that:
>
>saslauthd doesnt send "Client Hello" (SSL)
>
>and when I do
>
>ldapsearch -x -H ldaps://upsoluciones.palermo.edu/ -b
> ou=people,dc=palermo,dc=edu -Duid=cyrus,ou=people,dc=palermo,dc=edu -W
> uid=fcuell
>
>ldapclient send "Client Hello" and the connection is established..
>Then all fields in fcuell are displayed.
>
>
> I think that ldap server expects "Client Hello" from saslauthd and it
> never comes.
>
> What do you think?
>

I am really not sure how does the protocol work, but I do not think this
is the problem.  saslauthd/ldap and ldapsearch use the same ldap API
calls, so in theory it _should_ work.  But...

What version of cyrus-sasl do you use?

-- 
Igor

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Felix Cuello


Well...

   I'm trying now to start slapd with -d 8, but I have a little problem to
start ldaps, because running daemon directly from command line ldaps
doesn't start, but works if I run from ldap script...
[when I resolve this problem I will send openldap logfile]

   But... I was tried this:

   Sniffing connections using ethereal I see that:

   saslauthd doesnt send "Client Hello" (SSL)

   and when I do

   ldapsearch -x -H ldaps://upsoluciones.palermo.edu/ -b
ou=people,dc=palermo,dc=edu -Duid=cyrus,ou=people,dc=palermo,dc=edu -W
uid=fcuell

   ldapclient send "Client Hello" and the connection is established..
   Then all fields in fcuell are displayed.


I think that ldap server expects "Client Hello" from saslauthd and it
never comes.

What do you think?


Thanks a lot

Felix



---
 Felix Cuello <[EMAIL PROTECTED]>
 Qodiga/its   

/"\  ASCII Ribbon Campaign
\ /  No HTML in mail or news!
 X
/ \
---

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Igor Brezac



On Wed, 16 Oct 2002, Felix Cuello wrote:

> > #ldap_tls_check_peer: yes - This can get you in trouble if your
> > certificates are not setup properly on both the ldap server and the
> > client.
>
> I was comented this line... but Cyrus does not recognize IMAP/POP users
> using ldaps
>
> > Does
> > ldapsearch -x -H ldaps://hostname.domain/ -b
> > ou=people,dc=,dc=xxx \ -Duid=cyrus,ou=people,dc=xxx,dc=xxx
> > -W uid=some_username
> > work?
>
> YES!... it does.
>
> mmm I'm thinking that it can be ACL problem, because this query
> retrieved all fields of my user except userPassword. But is rare, because
> trying the same ldapsearch but using ldap (instead ldaps) userPassword
> does not come in the fields, but cyrus can check the user identity [ACL
> rules is configured to do that]
>

This is probably going to be a problem once saslauthd is able to connect
via ldaps.

> > Have you checked openldap syslog?
>

I need the openldap server syslog messages, you showed me the saslauthd
syslog messages.  Start slapd -d 8.  This will output all the openldap
debug messages to stdout.  Hopefully this will give you some clues as to
why you are not able to connect.

-Igor

> Yes... and look this:
>
> -
> 1.- when I put this line into my saslauthd.conf
>
> ldap_servers: ldap://upsoluciones.palermo.edu/
> the messages are:
> Oct 18 10:56:59 upsoluciones pop3d[23559]: login: upsoluciones[127.0.0.1]
> fcuell plaintext
> And I can check my mail fine!.
> --
> 2.- When I put this line into my saslauthd.conf
> ldap_servers: ldaps://upsoluciones.palermo.edu/
> the messages are:
> Oct 18 11:00:02 upsoluciones saslauthd[23583]: ldap_simple_bind(as
> uid=cyrus,ou=people,dc=palermo,dc=edu) failed (Can't contact LDAP server)
> Oct 18 11:00:02 upsoluciones saslauthd[23583]: lak_bind() failed
> Oct 18 11:00:02 upsoluciones saslauthd[23583]: AUTHFAIL: user=fcuell
> service=pop realm=
> And I can't check my email
> -
>
>
> This is my netstat -antp output (just the lines of ldap server)
>
> tcp0  0 0.0.0.0:389 0.0.0.0:*   LISTEN
>  32365/slapd
> tcp0  0 0.0.0.0:636 0.0.0.0:*   LISTEN
>  32365/slapd
>
> -
>
> What do you think?... I'm really lost with this problem..
>
>
> Thanks a lot for your time!
>
> Felix
> SFMPE == Sorry For My Poor English :-)
>
>
>

-- 
Igor

Re: sasl 2.1.9 + LDAPS problem

2002-10-16 Thread Felix Cuello


> #ldap_tls_check_peer: yes - This can get you in trouble if your
> certificates are not setup properly on both the ldap server and the
> client.

I was comented this line... but Cyrus does not recognize IMAP/POP users
using ldaps

> Does
> ldapsearch -x -H ldaps://hostname.domain/ -b
> ou=people,dc=,dc=xxx \ -Duid=cyrus,ou=people,dc=xxx,dc=xxx
> -W uid=some_username
> work?

YES!... it does.

mmm I'm thinking that it can be ACL problem, because this query
retrieved all fields of my user except userPassword. But is rare, because
trying the same ldapsearch but using ldap (instead ldaps) userPassword
does not come in the fields, but cyrus can check the user identity [ACL
rules is configured to do that]

> Have you checked openldap syslog?

Yes... and look this:

-
1.- when I put this line into my saslauthd.conf

ldap_servers: ldap://upsoluciones.palermo.edu/
the messages are:
Oct 18 10:56:59 upsoluciones pop3d[23559]: login: upsoluciones[127.0.0.1]
fcuell plaintext
And I can check my mail fine!.
--
2.- When I put this line into my saslauthd.conf
ldap_servers: ldaps://upsoluciones.palermo.edu/
the messages are:
Oct 18 11:00:02 upsoluciones saslauthd[23583]: ldap_simple_bind(as
uid=cyrus,ou=people,dc=palermo,dc=edu) failed (Can't contact LDAP server)
Oct 18 11:00:02 upsoluciones saslauthd[23583]: lak_bind() failed
Oct 18 11:00:02 upsoluciones saslauthd[23583]: AUTHFAIL: user=fcuell
service=pop realm=
And I can't check my email
-


This is my netstat -antp output (just the lines of ldap server)

tcp0  0 0.0.0.0:389 0.0.0.0:*   LISTEN
 32365/slapd
tcp0  0 0.0.0.0:636 0.0.0.0:*   LISTEN
 32365/slapd

-

What do you think?... I'm really lost with this problem..


Thanks a lot for your time!

Felix
SFMPE == Sorry For My Poor English :-)

Re: sasl 2.1.9 + LDAPS problem

2002-10-15 Thread Igor Brezac



On Tue, 15 Oct 2002, Felix Cuello wrote:

> Hello,
>
>Well... sasl 2.1.9 doesn't solved my problem...then... I have a
> configuration problem.
>
>I'm actually are running Cyrus 2.1.9, sasl 2.1.9 and openldap
> 2.0.23-4,,, all this in a red h 7.3...
>
>In my /usr/local/etc/saslauthd.conf, I have this lines:
>
> # doesn't work with ldap_servers: ldap://localhost
> # doesn't work with ldap_servers: ldaps://hostnamedomain:636
> ldap_servers: ldap://hostname.domain/
> ldap_bind_dn: uid=cyrus,ou=people,dc=xxx,dc=xxx
> ldap_bind_pw: xxx
> ldap_search_base: ou=people,dc=,dc=xxx
> ldap_tls_check_peer: yes
> ldap_tls_cacert_file: certificate.pem
> ldap_tls_cacert_dir: /usr/share/ssl/certs/
>

ldaps should work, someone recently reported that ldaps worked against
Novell NDS.  Try,

ldap_servers: ldaps://hostname.domain/
ldap_bind_dn: uid=cyrus,ou=people,dc=xxx,dc=xxx
ldap_bind_pw: xxx
ldap_search_base: ou=people,dc=,dc=xxx
ldap_tls_cacert_file: /usr/share/ssl/certs/certificate.pem

#ldap_tls_check_peer: yes - This can get you in trouble if your
certificates are not setup properly on both the ldap server and the
client.

Does
ldapsearch -x -H ldaps://hostname.domain/ -b ou=people,dc=,dc=xxx \
-Duid=cyrus,ou=people,dc=xxx,dc=xxx -W uid=some_username
work?

Have you checked openldap syslog?

-Igor

> 
>
> I was tried some tests, like:
>
> stunnel ldap ---> ldaps
>
> and that works fine... because saslauthd tries to connect a simple ldap
> server and STUNNEL do the rest with LDAPS server...
>
> But I don't want to use stunnel, because is a little bit unstable..
>
>
> thanks a lot and sorry for my poor english :-)
>
>
> Felix
>
>
>
>

-- 
Igor

sasl 2.1.9 + LDAPS problem

2002-10-15 Thread Felix Cuello


Hello,

   Well... sasl 2.1.9 doesn't solved my problem...then... I have a
configuration problem.

   I'm actually are running Cyrus 2.1.9, sasl 2.1.9 and openldap
2.0.23-4,,, all this in a red h 7.3...

   In my /usr/local/etc/saslauthd.conf, I have this lines:

# doesn't work with ldap_servers: ldap://localhost
# doesn't work with ldap_servers: ldaps://hostnamedomain:636
ldap_servers: ldap://hostname.domain/
ldap_bind_dn: uid=cyrus,ou=people,dc=xxx,dc=xxx
ldap_bind_pw: xxx
ldap_search_base: ou=people,dc=,dc=xxx
ldap_tls_check_peer: yes
ldap_tls_cacert_file: certificate.pem
ldap_tls_cacert_dir: /usr/share/ssl/certs/



I was tried some tests, like:

stunnel ldap ---> ldaps

and that works fine... because saslauthd tries to connect a simple ldap
server and STUNNEL do the rest with LDAPS server...

But I don't want to use stunnel, because is a little bit unstable..


thanks a lot and sorry for my poor english :-)


Felix

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

Re: sasl 2.1.9 + LDAPS problem

sasl 2.1.9 + LDAPS problem

11 matches

Site Navigation

Mail list logo

Footer information