Hi all,
I'm confusing about this problem. Please help... I installed OpenLDAP (2.4.25) with Cyrus SASL (2.1.23) and OpenSSL (0.9.8r). I started LDAP with SSL port: #./slapd -h 'ldaps:///' Everything OK, but when i test uid of OpenLDAP with SASL, i have a problem: root@ftp:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456 0: NO "authentication failed" I check log and have a message: ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 10 tm: 5 async: 0 ldap_ndelay_on: 10 ldap_int_poll: fd: 10 tm: 5 ldap_is_sock_ready: 10 ldap_ndelay_off: 10 ldap_pvt_connect: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: depth: 0, err: 7, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: Error, certificate signature failure TLS trace: SSL3 alert write:fatal:decrypt error TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:func(144):reason(134) (certificate signature failure). ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://localhost) ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 10 tm: 5 async: 0 ldap_ndelay_on: 10 ldap_int_poll: fd: 10 tm: 5 ldap_is_sock_ready: 10 ldap_ndelay_off: 10 ldap_pvt_connect: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: depth: 0, err: 7, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: Error, certificate signature failure TLS trace: SSL3 alert write:fatal:decrypt error TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:func(144):reason(134) (certificate signature failure). ldap_err2string saslauthd[766] :do_auth : auth failure: [user=khanhnq] [service=imap] [realm=] [mech=ldap] [reason=Unknown] saslauthd[766] :do_request : response: NO What i'm doing wrong? I test OpenSSL using client authenticate and it's work OK. # openssl s_client -connect localhost:636 -state -CAfile /var/myCA/demoCA/cacert.pem -cert /var/myCA/clientcrt.pem -key /var/myCA/clientkey.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com verify return:1 depth=0 /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com i:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com 1 s:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com i:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com --- Server certificate -----BEGIN CERTIFICATE----- MIICiTCCAfKgAwIBAgIJAMmeK8RVIEWgMA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNV BAYTAlZOMQwwCgYDVQQIEwNIQ00xDDAKBgNVBAoTA1NHVDELMAkGA1UECxMCTlcx EDAOBgNVBAMTB2FiYy5jb20wHhcNMTEwNjEzMDYzMDQ3WhcNMTIwNjEyMDYzMDQ3 WjBIMQswCQYDVQQGEwJWTjEMMAoGA1UECBMDSENNMQwwCgYDVQQKEwNTR1QxCzAJ BgNVBAsTAk5XMRAwDgYDVQQDEwdhYmMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEW/sP8n2M7y0LT7ONPZQSnWdOC+E2qyngXaouoKEZauyLkTwWJyQY MkCeGKwQo1KMGd1O04sw5uD2IWgYBfGuynSalyfGfwETGc4Y/xPHV+FpOY5KRssn qzmL5Gso276vIOR4KnjZdm5Msp3WQ2z4aNUkLbMspyBugKP9GgjfAwIDAQABo3sw eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUD7QVqUbn35Jgi1yQdumsHRBdAkswHwYDVR0j BBgwFoAUAdNX4GIDCCQpSpUEfLXJPW74L2IwDQYJKoZIhvcNAQEFBQADgYEAMf8i zRpqasBFf6acpRvGG/AkLU+Cz10ffH6zE3DsoKngxP6zEDFOb1quX+E7RE98W/0T iQPLqS5XLIuLX6BNRjnv79DdyynpwsFVip6pHvDZafWBXrzWVn7WEXy5+VpfjBxe CADHvgvp4LXh7EtvppO1vPyvphCCexsmCIzoxyA= -----END CERTIFICATE----- subject=/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com issuer=/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com --- Acceptable client certificate CA names /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com --- SSL handshake has read 2431 bytes and written 1804 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: B79630EC32BF14F01931D1EAB3DC0CF7DA29B42E012C8BD8171EEF46D993BB96 Session-ID-ctx: Master-Key: 230F7D9D0736A40EB148CA9091BA0105E6949721E55FD9F84AD057C1CBA38F0A1B2269CAB07E7E71E3310954DDF260BF Key-Arg : None TLS session ticket: 0000 - 07 19 41 07 ec 4c 66 10-24 a0 dd be 02 ff 05 90 ..A..Lf.$....... 0010 - a0 f8 64 d3 08 77 a0 bf-24 81 ad 04 b8 d9 e6 9a ..d..w..$....... 0020 - 04 5a df 4a d5 a1 65 2b-52 4c d4 a2 c2 d6 8b 7f .Z.J..e+RL...... 0030 - fa 66 c7 05 54 58 fa 5d-9a a3 75 82 d0 e8 76 dd .f..TX.]..u...v. 0040 - 4f da 54 ac 8e 40 95 68-7c da 6f 08 7f 52 a3 f6 [email protected]|.o..R.. 0050 - c2 bd 44 ff dd 95 b3 0c-e5 9e 16 95 7c c8 6d ee ..D.........|.m. 0060 - 96 03 6b db ae 8c 34 8e-a3 29 87 16 f0 a6 0e 8c ..k...4..)...... 0070 - ac fa c2 76 4a 2d 75 f5-fc b7 1e 83 ec a7 47 0a ...vJ-u.......G. 0080 - 72 50 e8 24 e2 22 34 5f-ff 6a b1 ea f0 cc 2e 55 rP.$."4_.j.....U 0090 - 9f ec ea 1b b5 da 12 70-f4 0c ee 10 5b d0 4e 7a .......p....[.Nz 00a0 - 0d 60 06 70 02 f7 eb a3-f3 79 a7 69 5d c3 61 d3 .`.p.....y.i].a. 00b0 - 51 2a 8a 82 c2 11 70 c9-8b 4f 19 58 50 83 6b 0e Q*....p..O.XP.k. 00c0 - bf 9e aa 6a 8f 72 59 9c-10 da cc 8f 90 05 db e2 ...j.rY......... 00d0 - 08 31 d8 62 1a 24 0d 50-a4 e1 75 e6 ee 49 19 32 .1.b.$.P..u..I.2 00e0 - 1f b6 0e 77 11 42 ce 3a-7e 7e 9c 2b be 59 d4 b4 ...w.B.:~~.+.Y.. 00f0 - 24 36 b0 a5 39 30 9f 3a-49 f7 19 10 73 f1 3e 06 $6..90.:I...s.>. 0100 - b4 04 58 3a 5f 4c 02 29-54 b1 25 c7 2f 06 4a 62 ..X:_L.)T.%./.Jb 0110 - fb 4b 52 82 ea 50 7e 12-0e 8b 5a eb a4 34 77 3c .KR..P~...Z..4w< 0120 - 9f f4 0d 85 0f 43 9a 5d-f1 ba 3e 28 ab 86 98 17 .....C.]..>(.... 0130 - d1 10 49 d2 a6 f3 e7 32-72 62 41 ac 4c 51 4b 05 ..I....2rbA.LQK. 0140 - bd e7 a3 30 cd 47 37 95-f9 76 1d 4a f1 a2 58 b0 ...0.G7..v.J..X. 0150 - 0b a8 ca 4e 4f a1 67 ff-01 3e 11 29 a9 db f1 3e ...NO.g..>.)...> 0160 - 43 64 f8 58 4e d3 44 6f-ee cc 61 6d b3 82 ab 77 Cd.XN.Do..am...w 0170 - e7 3b 6b 83 af b7 42 76-89 e2 e0 d6 8e 66 61 fe .;k...Bv.....fa. 0180 - df 7c d8 28 63 04 22 06-cd 41 28 46 d4 08 00 b4 .|.(c."..A(F.... 0190 - 2b 9e 90 ec ee 9f 8e 34-9b 15 5c 71 e8 29 88 c8 +......4..q.).. 01a0 - 35 4d 88 aa c3 05 53 0a-b8 bd 90 38 68 cf 8b 0b 5M....S....8h... 01b0 - b0 f3 48 c0 02 8a 9f be-05 1b 13 4a 49 67 32 8f ..H........JIg2. 01c0 - 66 f2 41 18 11 f1 eb ed-2a d0 a4 de d9 10 83 95 f.A.....*....... 01d0 - c6 aa 1a 74 83 36 31 db-68 b1 88 37 2b 18 da 6b ...t.61.h..7+..k 01e0 - b9 be 87 36 64 5c a0 b1-23 eb df d9 8f 96 10 ae ...6d..#....... 01f0 - 4e db 3b c2 77 65 a4 11-df 65 a8 26 98 4f df 69 N.;.we...e....... 0210 - f6 93 93 b1 c0 89 65 3a-0d bc 16 e8 f0 5f 9f 5c ......e:....._. 0220 - 8a bc ea 56 b7 e7 d4 75-4c 19 6d 18 73 64 3c 95 ...V...uL.m.sd. 0260 - 78 0d 94 f1 3a 1a 64 35-b5 54 b5 84 76 44 62 b1 x...:.d5.T..vDb. 0270 - 36 5c 1d d6 79 27 6d 1c-3c df bb d2 bf 2c 06 40 6..y'm.
