Guus Leeuw jr. wrote:
On Thu, July 5, 2007 16:37, Mihai Barbos wrote:
Mihai Barbos <mihai.barbos@xxxxxxxxxxxxxx> writes:
Hi
Can someone please help me with the following (annoying) problem:
I've got a saslauthd connecting to ldap on CentOS 5.0. With tls
disabled everything seems to work OK. With tls enabled, the connection to
LDAP is established OK but the authentication fails. LDAP
(openldap) reports TLS established and then UNBIND.
Does it ring any bell to anyone ? Any idea is welcome. Of course I can
post any configuration that might be of interest.
The problem though was a LOT more trivial. The SSL certificate
verification of the ^&%^* saslauthd is simply wrong. It looks like it compares
the ldap server STRING FROM THE CONFIGURATION FILE WITH THE DN FROM THE
CERTIFICATE.
Which is *totally* expected.
Remember: certificates are to announce trust much like a passport: If you show
the border control a passport that shows your wife's face, you will run into
problems. So if a certificate says "I am host x.y.z" and the *checking*
software is expecting "I am host x" there cannot be trust established.
So, if you have:
ldap_servers: ldap://gogoserver
in saslauthd.conf (or however you name it) an the certificate has been issued
to gogoserver.gogoland.net (as it is normal) the verification fails and
saslauthd bails out. Not to mention that the same happens if you use the IP or
a CNAME.
Great. At least saslauthd seems to work!
Mihai
IMHO this is wrong. The check is supposed to be between the certificate
and the name *it* gave me, not between the certificate and the name *I*
say, because it should be about trusting is identity, not my
assumptions. If it is the one I have asked for is a different problem.
But I might be wrong.
Anyway the problem here is that the debugging facilities of saslauthd
are close to none, so simple problems like this one can become pretty
annoying.
