[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: What is EXTERNAL SASL Mechanism?



It's me again.

Just to be more precise ... I have following setup: openldap 2.1.2, openssl 0.9.6d, jdk 1.3_03 from SUN, jsse 1.0.3 and JNDI ldap provider from SUN 1.2.4. The best result I could get so far is:

1) OpenLDAP expects client certificate, i.e. TLSVerifyClient is yes.
2) I use CRAM-MD5 as SASL mechanism as I don't understand how EXTERNAL works
3) Handshake works OK up to my best knowledge, SASL authentication is also OK, but now it comes:

already after SASL decided that my client is OK:

TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS: can't accept.
TLS: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized ssl_sess.c:278
connection_read(12): TLS accept error error=-1 id=5, closing

Do you know what this could be?

Cheers, vadim Tarassov.

-----Ursprüngliche Nachricht-----
Von: Wai Un [mailto:un@trustcenter.de]
Gesendet am: Donnerstag, 20. Juni 2002 16:54
An: vadim.tarassov@winterthur.ch; openldap-software@openldap.org
Betreff: Re: What is EXTERNAL SASL Mechanism?

Actually this question has been asked for many times.
Unfortunately, there's still no working solution to the problem!
My experience is that whether or not user uses that 'TLSClientVerify'
directive: the OpenSSL software returns some error during the SSL-
Handshake which says: error while reading the client certificate... etc.
May be Kurt has a word to say there? Or he would kindly guide us
how to configure the LDAP server correctly.
regards,

Wai

Tarassov Vadim wrote:

> Hallo Kurt,
>
> OK, sorry that I repeat my question, it is just because I am too new in SASL and LDAP and have to learn a lot ....
> Here is my understanding of what may happen: LDAP server gets client certificate, reads subject and attempts to interpret it as LDAP user. Is it correct?
>
> If server wants to get client identity from certificate it should require it during handshake. I assume that configuration parameter TLSVerifyClient should be "yes". Or may be EXTERNAL SASL mechanism is implemented in such way that authentication is not influenced by TLS configuration of the server?
>
> Anyway, is it described somewhere how should I configure LDAP server to use EXTERNAL? Has someone checked if it really works with LDAP provider from sun? Why I don't see EXTERNAL in the list of supportedSASLMechanisms when using SUN's LDAP provider for JNDI (I believe I have latest version of it)?
>
> Thanx a lot, Vadim Tarassov.
>
> -----Ursprüngliche Nachricht-----
> Von: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Gesendet am: Mittwoch, 19. Juni 2002 20:30
> An: vadim tarassov
> Cc: openldap-software@OpenLDAP.org
> Betreff: Re: What is EXTERNAL SASL Mechanism?
>
> SASL/EXTERNAL is used to request that an identity established
> by a lower layer be used at the application layer.  In OpenLDAP,
> as described in RFC 2829/2830, its used to request the client's
> TLS authentication identity be used as the LDAP authentication
> identity, which is then used for authorization purposes.
>
> At 02:27 PM 2002-06-18, vadim tarassov wrote:
> >Hallo everybody,
> >
> >I was googling for EXTERNAL SASL Mechanism, but could not find anything what could help me to understand how openldap uses (implements?) it. I will be really glad if someone will explain me in few details.
> >
> >Thanx a lot, Vadim Tarassov.