[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What is EXTERNAL SASL Mechanism?



Actually this question has been asked for many times.
Unfortunately, there's still no working solution to the problem!
My experience is that whether or not user uses that 'TLSClientVerify'
directive: the OpenSSL software returns some error during the SSL-
Handshake which says: error while reading the client certificate... etc.
May be Kurt has a word to say there? Or he would kindly guide us
how to configure the LDAP server correctly.
regards,

Wai

Tarassov Vadim wrote:

> Hallo Kurt,
>
> OK, sorry that I repeat my question, it is just because I am too new in SASL and LDAP and have to learn a lot ....
> Here is my understanding of what may happen: LDAP server gets client certificate, reads subject and attempts to interpret it as LDAP user. Is it correct?
>
> If server wants to get client identity from certificate it should require it during handshake. I assume that configuration parameter TLSVerifyClient should be "yes". Or may be EXTERNAL SASL mechanism is implemented in such way that authentication is not influenced by TLS configuration of the server?
>
> Anyway, is it described somewhere how should I configure LDAP server to use EXTERNAL? Has someone checked if it really works with LDAP provider from sun? Why I don't see EXTERNAL in the list of supportedSASLMechanisms when using SUN's LDAP provider for JNDI (I believe I have latest version of it)?
>
> Thanx a lot, Vadim Tarassov.
>
> -----Ursprüngliche Nachricht-----
> Von: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Gesendet am: Mittwoch, 19. Juni 2002 20:30
> An: vadim tarassov
> Cc: openldap-software@OpenLDAP.org
> Betreff: Re: What is EXTERNAL SASL Mechanism?
>
> SASL/EXTERNAL is used to request that an identity established
> by a lower layer be used at the application layer.  In OpenLDAP,
> as described in RFC 2829/2830, its used to request the client's
> TLS authentication identity be used as the LDAP authentication
> identity, which is then used for authorization purposes.
>
> At 02:27 PM 2002-06-18, vadim tarassov wrote:
> >Hallo everybody,
> >
> >I was googling for EXTERNAL SASL Mechanism, but could not find anything what could help me to understand how openldap uses (implements?) it. I will be really glad if someone will explain me in few details.
> >
> >Thanx a lot, Vadim Tarassov.