[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL Mechanism Help

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: SASL/EXTERNAL Mechanism Help
From: Matt <mmaynard@student.math.uwaterloo.ca>
Date: Mon, 30 Jul 2001 11:31:19 -0400 (EDT)
Cc: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

First off, I want to thank Kurt for his reply.  I just have a couple
clarifications to request.....


On Sat, 28 Jul 2001, Kurt D. Zeilenga wrote:

[snip]   
> >supported SASL mechanism. running
> > ldapsearch -x  -s base -b "" -ZZ  supportedsaslmechanisms
> > 
> >generates
> >dn:
> >supportedSASLMechanisms: LOGIN
> >supportedSASLMechanisms: PLAIN
> >supportedSASLMechanisms: DIGEST-MD5
> >supportedSASLMechanisms: CRAM-MD5  
> >
> >
> >but no EXTERNAL mechanism.
> 
> Yes, it's not available unless the client has asserted
> its identity using a certificate.
> 
Does anyone have any examples of client code that send a certificae to the
server ?  I am not quite sure how to test this out.  Also, I was wondering
if anyone on the list had any success using client certificates for
authentication purposes ?  

	Any tips on how to start, what to read, etc would be greatly
appreciated.


[snip]
> >2) I have gotten my application to talk over the TLS link to the slapd
> >server (thanks to looking at the tools/ldap*.c code), and things are
> >working good, but I really require someway to know that the LDAP server my
> >application is talking to is trusted.  Basically I would like a way to
> >verify the certificate the slapd serevr is providing to my client app. Is
> >there a way to get the information about the server certificate using the
> >LDAP library ? the OpenSSL library ?
>  
> If the servers is listening on ldaps://, you can use OpenSSL's
> builtin client to view the server's certificate.
> 
	Would that be the openSSL s_client mode ?  I am looking for a way
to verify that the LDAP server my client application connects to is the
server that the client trusts.  Has anyone written a client using the LDAP
library that does this ?  It would be best if there was someway that I
could get the certificate information in my client (like Netscape does) so
that I can compare it to a list of known certificates.  I noticed that
when running the ldap* tools in -Z mode (TLS enabled) with debugging set
high, I see parts of the certificate in the debug information - does the
LDAP server send the certificate to the client ?  Is there anyway for me
to get access to this information ?

Thanks in advance

Matt Maynard
4B CS University of Waterloo
mmaynard@student.math.uwaterloo.ca

Prev by Date: 2.0.11 on RH7.0
Next by Date: Re: Deny auth based on client
Index(es):
- Chronological
- Thread