Re: SASL and OpenLDAP with SSL - PROBLEM SOLVED !!!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, July 5, 2007 16:37, Mihai Barbos wrote:
>> Mihai Barbos <mihai.barbos@xxxxxxxxxxxxxx> writes:
>>
>>> Hi
>>>
>>>
>>> Can someone please help me with the following (annoying) problem:
>>> I've got a saslauthd connecting to ldap on CentOS 5.0. With tls
>>> disabled everything seems to work OK. With tls enabled, the connection to
>>> LDAP is established OK but the authentication fails. LDAP
>>> (openldap) reports TLS established and then UNBIND.
>>>
>>>
>>> Does it ring any bell to anyone ? Any idea is welcome. Of course I can
>>> post any configuration that might be of interest.
>
>
> The problem though was a LOT more trivial. The SSL certificate
> verification of the ^&%^* saslauthd is simply wrong. It looks like it compares
> the ldap server STRING FROM THE CONFIGURATION FILE WITH THE DN FROM THE
> CERTIFICATE.

Which is *totally* expected.

Remember: certificates are to announce trust much like a passport: If you show
the border control a passport that shows your wife's face, you will run into
problems. So if a certificate says "I am host x.y.z" and the *checking*
software is expecting "I am host x" there cannot be trust established.

>
> So, if you have:
> ldap_servers: ldap://gogoserver
> in saslauthd.conf (or however you name it) an the certificate has been issued
> to  gogoserver.gogoland.net (as it is normal) the verification fails and
> saslauthd bails out. Not to mention that the same happens if you use the IP or
> a CNAME.

Great. At least saslauthd seems to work!

> Mihai
>
>
>
>



[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux