SASL and OpenLDAP with SSL - PROBLEM SOLVED !!!!
Guus Leeuw jr.
guus.leeuw at guusleeuwit.com
Thu Jul 5 11:59:33 EDT 2007
On Thu, July 5, 2007 16:37, Mihai Barbos wrote:
>> Mihai Barbos <mihai.barbos at eurospider.com> writes:
>>
>>> Hi
>>>
>>>
>>> Can someone please help me with the following (annoying) problem:
>>> I've got a saslauthd connecting to ldap on CentOS 5.0. With tls
>>> disabled everything seems to work OK. With tls enabled, the connection to
>>> LDAP is established OK but the authentication fails. LDAP
>>> (openldap) reports TLS established and then UNBIND.
>>>
>>>
>>> Does it ring any bell to anyone ? Any idea is welcome. Of course I can
>>> post any configuration that might be of interest.
>
>
> The problem though was a LOT more trivial. The SSL certificate
> verification of the ^&%^* saslauthd is simply wrong. It looks like it compares
> the ldap server STRING FROM THE CONFIGURATION FILE WITH THE DN FROM THE
> CERTIFICATE.
Which is *totally* expected.
Remember: certificates are to announce trust much like a passport: If you show
the border control a passport that shows your wife's face, you will run into
problems. So if a certificate says "I am host x.y.z" and the *checking*
software is expecting "I am host x" there cannot be trust established.
>
> So, if you have:
> ldap_servers: ldap://gogoserver
> in saslauthd.conf (or however you name it) an the certificate has been issued
> to gogoserver.gogoland.net (as it is normal) the verification fails and
> saslauthd bails out. Not to mention that the same happens if you use the IP or
> a CNAME.
Great. At least saslauthd seems to work!
> Mihai
>
>
>
>
More information about the Cyrus-sasl
mailing list