On Thu, July 5, 2007 16:37, Mihai Barbos wrote: >> Mihai Barbos <mihai.barbos@xxxxxxxxxxxxxx> writes: >> >>> Hi >>> >>> >>> Can someone please help me with the following (annoying) problem: >>> I've got a saslauthd connecting to ldap on CentOS 5.0. With tls >>> disabled everything seems to work OK. With tls enabled, the connection to >>> LDAP is established OK but the authentication fails. LDAP >>> (openldap) reports TLS established and then UNBIND. >>> >>> >>> Does it ring any bell to anyone ? Any idea is welcome. Of course I can >>> post any configuration that might be of interest. > > > The problem though was a LOT more trivial. The SSL certificate > verification of the ^&%^* saslauthd is simply wrong. It looks like it compares > the ldap server STRING FROM THE CONFIGURATION FILE WITH THE DN FROM THE > CERTIFICATE. Which is *totally* expected. Remember: certificates are to announce trust much like a passport: If you show the border control a passport that shows your wife's face, you will run into problems. So if a certificate says "I am host x.y.z" and the *checking* software is expecting "I am host x" there cannot be trust established. > > So, if you have: > ldap_servers: ldap://gogoserver > in saslauthd.conf (or however you name it) an the certificate has been issued > to gogoserver.gogoland.net (as it is normal) the verification fails and > saslauthd bails out. Not to mention that the same happens if you use the IP or > a CNAME. Great. At least saslauthd seems to work! > Mihai > > > >
