[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL EXTERNAL with TLS Authentication
Thanks for the patch--it worked like a charm. I also tried using the
2.1alpha code, but could not get TLS anything working. That may require some
more tinkering on my part.
Out of curiosity, what do I gain from SASL EXTERNAL TLS auth that I cannot
get from putting the following in my slapd.conf:
TLSVerifyClient 1
security ssf=128
access to *
by ssf=128 { read | write | etc.}
I would only trust certs that I gave out and require confidentiality
(security ssf=128).
I ask this because it seems that using either really only comes down to
configuration options in slapd.conf.
Thanks again!
dave
On Wednesday 06 March 2002 19:25, Karsten Künne wrote:
> On Wednesday 06 March 2002 18:05, Howard Chu wrote:
> | The support here is pretty limited in 2.0.x, and it doesn't look like
> | this has
> | any chance of working. It does work in the HEAD, and the 2.1alpha code
> | should be OK as well. In particular, the SASL auth code in 2.0.x expects
> | usernames returned from the SASL library to be simple names, not DNs. As
> | such, it's impossible for it to be used with an X.509 cert.
> |
> | The alpha code supports a config file keyword
> | "sasl-external-x509dn-convert" that will rewrite a cert's X.500-style DN
> | into an LDAP-style DN. It also supports a "sasl-regexp" keyword for
> | mapping arbitrary SASL names into usable DNs. One or both of these
> | features is necessary for successfully using SASL EXTERNAL with TLS.
>
> That's all true but if you don't want to wait for 2.1 you can apply the
> following small patch to 2.0.23 (unofficially):
>
> --- ./servers/slapd/sasl.c.orig Thu Feb 14 16:17:45 2002
> +++ ./servers/slapd/sasl.c Thu Feb 14 16:18:35 2002
> @@ -466,7 +466,7 @@
>
> } else if ( username[0] == 'u' && username[1] ==
> ':' && username[2] != '\0'
> - && strpbrk( &username[2], "+=,;\"\\ \t") ==
> NULL )
> + && strpbrk( &username[2], "+,;\"\t\\") ==
> NULL ) {
> *edn = ch_malloc( sizeof( "uid= + realm=" )
> + strlen( &username[2] )
>
>
> I got it working with that.
>
> | -- Howard Chu
> | Chief Architect, Symas Corp. Director, Highland Sun
> | http://www.symas.com http://highlandsun.com/hyc
> | Symas: Premier OpenSource Development and Support
> |
> | > -----Original Message-----
> | > From: owner-openldap-software@OpenLDAP.org
> | > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David H.
> | > Hawes Sent: Wednesday, March 06, 2002 1:58 PM
> | > To: OpenLDAP-software@OpenLDAP.org
> | > Subject: SASL EXTERNAL with TLS Authentication
> | >
> | >
> | > I have been trying for several days to get SASL EXTERNAL working with
> | > TLS authentication (OpenLDAP 2.0.23 and Cyrus SASL 1.5.27). I am
> | > able to do SASL
> | > binds with DIGEST-MD5 (so I know SASL works) and can use startTLS with
> | > 'TLSVerifyClient 1' set in my slapd.conf (so I can verify my client
> | > certs work).
> | >
> | > The relevant output I get from slapd when I run 'ldapsearch -h
> | > myserver -b
> | > 'dc=my-domain,dc=com' '(objectclass=*)' -ZZ -O none -Y EXTERNAL' is:
> | > ...
> | > do_sasl_bind: dn () mech EXTERNAL
> | > SASL Authorize [conn=6]: "<cert dn here>" as "u:<cert dn
> | > here>"
> | > slap_sasl_bind: username="u:<cert dn here>" realm="" ssf=0
> | > <== slap_sasl_bind: authorization disallowed
> | > ...
> | >
> | > ldapsearch's output is:
> | > ...
> | > SASL/EXTERNAL authentication started
> | > ldap_sasl_interactive_bind_s: Inappropriate authentication
> | > additional info: authorization disallowed
> | > ...
> | >
> | > What am I missing to get the slap_sasl_bind to work? And out of
> | > curiosity
> | > has anyone gotten this to work? I've yet to find any success
> | > stories in my
> | > research.
> | >
> | > If and when I get this working, I hope to write a nice HOW-TO for
> | > myself and
> | > everyone else's benefit.
> | >
> | > Thank you!
> | >
> | > dave