[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic SASL setup instructions



Nope, I've tried every which way, Netscape's Address Book doesn't send the
client certificate on an SSL connection.

By the way, the problem I had before with the connection failing when the
server was looking for a client cert was due to Netscape not recognizing my
server's cert. (duh...) Quick way to get the server cert loaded is to point
Netscape at https://your.ldap.server:port/ and you'll be prompted for
whether or not to accept the cert. After that I ran into the same ol' 0x61
issue that we've already discussed.

I thought it might be due to some cipher blocks being unpacked out of order,
but the behavior is the same whether I use RC4/MD5 or DES/CBC3/SHA as my
cipher suite. It's a pity that the client doesn't support NULL/MD5, then we
could actually get readable tcpdump logs to debug with.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Edwin Chiu
> Sent: Wednesday, October 18, 2000 6:13 AM
> To: Kurt D. Zeilenga
> Cc: Jim Hud; openldap-software@OpenLDAP.org
> Subject: Re: Basic SASL setup instructions
>
>
> Have you tried using just the Address Book in Netscape? I've never had
> any success with ldaps:// in Netscape... and unfortunately, LDAP doesn't
> seem to be present in Mozilla yet ;(
>
> The Address Book should support at minimum, SSL with client auth. I'm
> fairly certain it should support the use of client certs as well....
>
> Edwin
>
> "Kurt D. Zeilenga" wrote:
>
> > At 11:15 PM 10/17/00 +0100, Jim Hud wrote:
> > >Is it currently being worked on?
> >
> > Yes.
> >
> > >I was hoping to use TLS/SSL but neither
> > >Netscape or Outlook Express will work with authenticated SSL
> >
> > Note that client's TLS (SSL) certificate is not used establish
> > LDAP authorization unless the client requests a SASL/EXTERNAL
> > bind.
> >
> > >to slapd so SASL becomes the next best option,
> >
> > I didn't realize that Netscape and Microsoft clients had
> > implemented any SASL authentication methods yet.  I'm under
> > the impression they only support simple bind, but that they
> > did support this over both LDAP and LDAP over SSL.
> >
> > Netscape "smart" (anon search + simple bind) authentication
> > over ldaps:// doesn't work for me [the 0x61 issue others have
> > reported]... but simple bind works fine.  See FAQ for details
> > on how to provide a bind DN to Netscape.
> >   http://www.openldap.org/faq/index.cgi?file=138
> >
> > BTW, the test user "uid=test,dc=openldap,dc=org" w/
> > password "secret" is now available for testing purposes
> > at ldap://ldap.openldap.org/ & ldaps://ldap.openldap.org/
> >
> > >but I need the LDAP database to hold the id's and passwords.
> > >
> > >How can I help this along by adding my efforts?
> >
> > By enquiring on the developer's list.
>