[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL Mechanism Help



At 12:41 PM 7/27/2001, Matt wrote:
>Hi,
>
>        I am in the early stages of writing a client application that
>will connect to slapd using TLS to read various pieces of data from the
>LDAP server.  I haev 2 major questinos that I could really use some
>direction with :
>
>1) I have been doing some looking into the SASL/EXTERNAL mechanism and it
>seems to me that I could somehow set this up to allow the client to
>present an X.509 certificate as authentication information.  Is this
>correct?  An old software bug logged (ITS #865) that suggests that this
>might be possible.
>
>        On major problem - I cant seem to get EXTERNAL to show up as a
>supported SASL mechanism. running 
> ldapsearch -x  -s base -b "" -ZZ  supportedsaslmechanisms
>
>generates 
>dn:
>supportedSASLMechanisms: LOGIN
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: CRAM-MD5
>
>
>but no EXTERNAL mechanism.

Yes, it's not available unless the client has asserted
its identity using a certificate.


>I am running Debain linux with OpenLDAP v 2.0.11 with Cyrus SASL 1.5.24
>Do I need to run a version of LDAP from the HEAD branch, or is my SASL
>libraries misconfigured somehow.

HEAD has much better support for SASL EXTERNAL.  In particular,
some authzid handling issues are better handled in EXTERNAL.
Since I don't use TLS too often (preferring just to use SASL),
I don't recall exactly wants it REL_ENG_2.


>2) I have gotten my application to talk over the TLS link to the slapd
>server (thanks to looking at the tools/ldap*.c code), and things are
>working good, but I really require someway to know that the LDAP server my
>application is talking to is trusted.  Basically I would like a way to
>verify the certificate the slapd serevr is providing to my client app.  Is
>there a way to get the information about the server certificate using the
>LDAP library ? the OpenSSL library ?

If the servers is listening on ldaps://, you can use OpenSSL's
builtin client to view the server's certificate.


>        Any input or suggestions on where to look would be greatly
>appreciated since I seem to have hit a wall on these issues. I have
>tried to keep my explanations as breif as possible while making my
>goals clear, but if elaboration is required, please dont hesitate to 
>ask me. Thanks so much.
>
>Matt Maynard
>4B CS University of Waterloo