Hi Vadim, the assumption is that the OpenSSL software library is probably not capable of certificate-based client authentication without an authentication framework. That's the job of SASL-EXTERNAL: the handling of authentication ID and credential, mapping of the certificate DN into an LDAP DN context and authorizing the user of LDAP directory access if successful... If user takes a closer look to the Cyrus SASL library source, there isn't anything ( not even an autoconf option for SASL-EXTERNAL ) concerning an implementation of SASL-EXTERNAL mechanism, not as far as I know in the latest version of the library release. So I guess that's not weird since OpenLDAP is not able to show up with a rootDSE attribute: supportedSASLMechanism=EXTERNAL because the SASL library has not even implemented the EXTERNAL mechanism in the library source code! regards Tarassov Vadim wrote: > Hallo Wai, > > Yes, I was not able make ldap server to authenticate ldap utils like ldapadd etc. too, although I believe I could manage to make my java client to send certificate to ldap. Anyway I would like to join you in your expectation to get some info from Kurt! > > Cheers, Vadim Tarassov. > > -----Ursprüngliche Nachricht----- > Von: Wai Un [mailto:un@trustcenter.de] > Gesendet am: Donnerstag, 20. Juni 2002 16:54 > An: vadim.tarassov@winterthur.ch; openldap-software@openldap.org > Betreff: Re: What is EXTERNAL SASL Mechanism? > > Actually this question has been asked for many times. > Unfortunately, there's still no working solution to the problem! > My experience is that whether or not user uses that 'TLSClientVerify' > directive: the OpenSSL software returns some error during the SSL- > Handshake which says: error while reading the client certificate... etc. > May be Kurt has a word to say there? Or he would kindly guide us > how to configure the LDAP server correctly. > regards, > > Wai > > Tarassov Vadim wrote: > > > Hallo Kurt, > > > > OK, sorry that I repeat my question, it is just because I am too new in SASL and LDAP and have to learn a lot .... > > Here is my understanding of what may happen: LDAP server gets client certificate, reads subject and attempts to interpret it as LDAP user. Is it correct? > > > > If server wants to get client identity from certificate it should require it during handshake. I assume that configuration parameter TLSVerifyClient should be "yes". Or may be EXTERNAL SASL mechanism is implemented in such way that authentication is not influenced by TLS configuration of the server? > > > > Anyway, is it described somewhere how should I configure LDAP server to use EXTERNAL? Has someone checked if it really works with LDAP provider from sun? Why I don't see EXTERNAL in the list of supportedSASLMechanisms when using SUN's LDAP provider for JNDI (I believe I have latest version of it)? > > > > Thanx a lot, Vadim Tarassov. > > > > -----Ursprüngliche Nachricht----- > > Von: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > > Gesendet am: Mittwoch, 19. Juni 2002 20:30 > > An: vadim tarassov > > Cc: openldap-software@OpenLDAP.org > > Betreff: Re: What is EXTERNAL SASL Mechanism? > > > > SASL/EXTERNAL is used to request that an identity established > > by a lower layer be used at the application layer. In OpenLDAP, > > as described in RFC 2829/2830, its used to request the client's > > TLS authentication identity be used as the LDAP authentication > > identity, which is then used for authorization purposes. > > > > At 02:27 PM 2002-06-18, vadim tarassov wrote: > > >Hallo everybody, > > > > > >I was googling for EXTERNAL SASL Mechanism, but could not find anything what could help me to understand how openldap uses (implements?) it. I will be really glad if someone will explain me in few details. > > > > > >Thanx a lot, Vadim Tarassov.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature