[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL/EXTERNAL Mechanism Help
At 12:41 PM 7/27/2001, Matt wrote:
>Hi,
>
> I am in the early stages of writing a client application that
>will connect to slapd using TLS to read various pieces of data from the
>LDAP server. I haev 2 major questinos that I could really use some
>direction with :
>
>1) I have been doing some looking into the SASL/EXTERNAL mechanism and it
>seems to me that I could somehow set this up to allow the client to
>present an X.509 certificate as authentication information. Is this
>correct? An old software bug logged (ITS #865) that suggests that this
>might be possible.
>
> On major problem - I cant seem to get EXTERNAL to show up as a
>supported SASL mechanism. running
> ldapsearch -x -s base -b "" -ZZ supportedsaslmechanisms
>
>generates
>dn:
>supportedSASLMechanisms: LOGIN
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: CRAM-MD5
>
>
>but no EXTERNAL mechanism.
Yes, it's not available unless the client has asserted
its identity using a certificate.
>I am running Debain linux with OpenLDAP v 2.0.11 with Cyrus SASL 1.5.24
>Do I need to run a version of LDAP from the HEAD branch, or is my SASL
>libraries misconfigured somehow.
HEAD has much better support for SASL EXTERNAL. In particular,
some authzid handling issues are better handled in EXTERNAL.
Since I don't use TLS too often (preferring just to use SASL),
I don't recall exactly wants it REL_ENG_2.
>2) I have gotten my application to talk over the TLS link to the slapd
>server (thanks to looking at the tools/ldap*.c code), and things are
>working good, but I really require someway to know that the LDAP server my
>application is talking to is trusted. Basically I would like a way to
>verify the certificate the slapd serevr is providing to my client app. Is
>there a way to get the information about the server certificate using the
>LDAP library ? the OpenSSL library ?
If the servers is listening on ldaps://, you can use OpenSSL's
builtin client to view the server's certificate.
> Any input or suggestions on where to look would be greatly
>appreciated since I seem to have hit a wall on these issues. I have
>tried to keep my explanations as breif as possible while making my
>goals clear, but if elaboration is required, please dont hesitate to
>ask me. Thanks so much.
>
>Matt Maynard
>4B CS University of Waterloo