[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL with TLS Authentication

To: OpenLDAP-software@OpenLDAP.org
Subject: SASL EXTERNAL with TLS Authentication
From: "David H. Hawes" <dhawes@vt.edu>
Date: Wed, 6 Mar 2002 16:58:11 -0500
Organization: Middleware Services

I have been trying for several days to get SASL EXTERNAL working with TLS 
authentication (OpenLDAP 2.0.23 and Cyrus SASL 1.5.27).  I am able to do SASL 
binds with DIGEST-MD5 (so I know SASL works) and can use startTLS with 
'TLSVerifyClient 1' set in my slapd.conf (so I can verify my client certs 
work).  

The relevant output I get from slapd when I run 'ldapsearch -h myserver -b 
'dc=my-domain,dc=com' '(objectclass=*)' -ZZ -O none -Y EXTERNAL' is:
...
do_sasl_bind: dn () mech EXTERNAL
SASL Authorize [conn=6]: "<cert dn here>" as "u:<cert dn 
here>"
slap_sasl_bind: username="u:<cert dn here>" realm="" ssf=0
<== slap_sasl_bind: authorization disallowed
...

ldapsearch's output is:
... 
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication
        additional info: authorization disallowed
...

What am I missing to get the slap_sasl_bind to work?  And out of curiosity 
has anyone gotten this to work?  I've yet to find any success stories in my 
research.    

If and when I get this working, I hope to write a nice HOW-TO for myself and 
everyone else's benefit.

Thank you!

dave

Follow-Ups:
- RE: SASL EXTERNAL with TLS Authentication
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: LDAP query errors.
Next by Date: RE: SASL EXTERNAL with TLS Authentication
Index(es):
- Chronological
- Thread