[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: testing ldaps:// w/ client certificates



At 06:50 PM 2001-09-17, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Howard Chu
>
>> There are some client issues with SASL/EXTERNAL, the SASL library doesn't
>> seem to
>> think that EXTERNAL is a sufficiently secure mechanism with the default
>> secprops.
>> I think if the connection has TLS then we should be doing
>> something with the
>> secprops to tell Cyrus that EXTERNAL is acceptable.
>>
>Just to elaborate on this: slapd sets its default required properties as
>   SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS
>(slapd/sasl.c, slap_sasl_init, line 417)
>
>My Cyrus SASL library has the flags for the EXTERNAL mechanism set to
>   SASL_SEC_NOPLAINTEXT|SASL_SEC_NODICTIONARY

ldap_int_sasl_external() should do the right thing...

Kurt