[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL EXTERNAL authentication blues
Hi all,
I have unsuccessfully tried getting slapd working with TLS client
authentication.
What I wish to achieve (as a first proof of concept) is to have ldapsearch or
ldapadd, authenticate against slapd with a X.509 client certificate and then
act as the rootdn.
I believe I have tried all the hints in the archieves on this subject
(obviously I cannot have done that ad it still does not work).
Basically this is my understanding of how to do it:
I have successfully ran the command:
ldapsearch -x -H "ldaps://localhost" -s base -b "" supportedSASLMechanisms
which lists the EXTERNAL mechanism
I have then tried to run
ldapsearch -Y EXTERNAL -H "ldaps://localhost" -s base -b ""
supportedSASLMechanisms
But sofar without any luck.
I have added -O none as suggested in a previous post as well as combinations
of -U and -X parameters, still no luck.
I have added the root user to sasl using saslpasswd (but am unsure how this
should be done correctly), in that respect what bothers me most is that event
though i use the sasl realm dc=dk,dc=deff, slapd reports the following:
==> sasl_bind: dn="" mech=EXTERNAL datalen=0
SASL Authorize [conn=0]: authcid="/DC=dk/DC=deff/CN=Manager"
authzid="/DC=dk/DC=deff/CN=Manager"
SASL Authorize [conn=0]: "/DC=dk/DC=deff/CN=Manager" as
"u:/DC=dk/DC=deff/CN=Manager"
slap_sasl_bind: username="u:/DC=dk/DC=deff/CN=Manager" realm="" ssf=0
<== slap_sasl_bind: authorization disallowed
where as you can see the realm is noted as ""
I have tried different configurations of the rootdn en slapd.conf, but I
believe that the correct must be:
suffix "dc=deff,dc=dk"
rootdn "uid=/DC=dk/DC=deff/CN=Manager,dc=deff,dc=dk"
given the certificate DN received above.
I am not really sure if sasl passwords added using saslpasswd are needed for
the EXTERNAL mechanism. I suspect not.
How does sasl actually authenticate using EXTERNAL, I have tried looking at
the cyrus-sasl mailing list archive, but apparently it looks as it is done by
the server (slapd?)
Any help is appreciated.
Kind regards
Søren
"When in doubt, it's a classpath problem."
------------------------------------------------------------------------
Søren Hilmer, M.Sc.
R&D manager Phone: +45 86 78 21 00
IT+ A/S Fax: +45 86 78 21 02
Brendstrupgårdsvej 7 Direct: +45 87 40 08 44
8200 Århus N Email: sh@itplus.dk
Denmark WWW: http://www.itplus.dk
------------------------------------------------------------------------