SASL and OpenLDAP with SSL - PROBLEM SOLVED !!!!
Mihai Barbos
mihai.barbos at eurospider.com
Thu Jul 5 12:51:47 EDT 2007
Guus Leeuw jr. wrote:
> On Thu, July 5, 2007 16:37, Mihai Barbos wrote:
>>> Mihai Barbos <mihai.barbos at eurospider.com> writes:
>>>
>>>> Hi
>>>>
>>>>
>>>> Can someone please help me with the following (annoying) problem:
>>>> I've got a saslauthd connecting to ldap on CentOS 5.0. With tls
>>>> disabled everything seems to work OK. With tls enabled, the connection to
>>>> LDAP is established OK but the authentication fails. LDAP
>>>> (openldap) reports TLS established and then UNBIND.
>>>>
>>>>
>>>> Does it ring any bell to anyone ? Any idea is welcome. Of course I can
>>>> post any configuration that might be of interest.
>>
>> The problem though was a LOT more trivial. The SSL certificate
>> verification of the ^&%^* saslauthd is simply wrong. It looks like it compares
>> the ldap server STRING FROM THE CONFIGURATION FILE WITH THE DN FROM THE
>> CERTIFICATE.
>
> Which is *totally* expected.
>
> Remember: certificates are to announce trust much like a passport: If you show
> the border control a passport that shows your wife's face, you will run into
> problems. So if a certificate says "I am host x.y.z" and the *checking*
> software is expecting "I am host x" there cannot be trust established.
>
>> So, if you have:
>> ldap_servers: ldap://gogoserver
>> in saslauthd.conf (or however you name it) an the certificate has been issued
>> to gogoserver.gogoland.net (as it is normal) the verification fails and
>> saslauthd bails out. Not to mention that the same happens if you use the IP or
>> a CNAME.
>
> Great. At least saslauthd seems to work!
>
>> Mihai
>>
IMHO this is wrong. The check is supposed to be between the certificate
and the name *it* gave me, not between the certificate and the name *I*
say, because it should be about trusting is identity, not my
assumptions. If it is the one I have asked for is a different problem.
But I might be wrong.
Anyway the problem here is that the debugging facilities of saslauthd
are close to none, so simple problems like this one can become pretty
annoying.
More information about the Cyrus-sasl
mailing list