[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: What is EXTERNAL SASL Mechanism?



Hallo Wai,

OK, now I can tell what EXTERNAL SASL mechanism is and how it works. I just managed to bring it to work!!!!

Imagine you have certificate with following subject

email=vadim.tarassov@winterthur.ch,cn=gnida,ou=sexual harasments,o=online violence ltd,st=somewhere,c=ch

saslpswd it and make sure that such ldap user exist. Than it just works, at least with my setup.

Btw. please disregard my message about problems with SSL session. I just noticed that after session has been established I was trying to get saslsupportedMechanisms attribute in a odd way, I still have to understand what went wrong there. 

I would like to emphasize that I checked all of that with java client, still have to make slurpd to use SASL EXTERNAL mechanism ...

Regards, Vadim Tarassov.


-----Ursprüngliche Nachricht-----
Von: Wai Un [mailto:un@trustcenter.de]
Gesendet am: Donnerstag, 20. Juni 2002 17:37
An: Tarassov Vadim; openldap-software@openldap.org;
dibbern@trustcenter.de
Betreff: Re: What is EXTERNAL SASL Mechanism?

Hi Vadim,
the assumption is that the OpenSSL software library is probably not capable of certificate-based
client authentication without an authentication framework. That's the job of SASL-EXTERNAL:
the handling of authentication ID and credential, mapping of the certificate DN into an LDAP
DN context and authorizing the user of LDAP directory access if successful...
If user takes a closer look to the Cyrus SASL library source, there isn't anything ( not even an
autoconf option for SASL-EXTERNAL ) concerning an implementation of SASL-EXTERNAL
mechanism, not as far as I know in the latest version of the library release.
So I guess that's not weird since OpenLDAP is not able to show up with a rootDSE attribute:
supportedSASLMechanism=EXTERNAL
because the SASL library has not even implemented the EXTERNAL mechanism in the library
source code!

regards


Tarassov Vadim wrote:

> Hallo Wai,
>
> Yes, I was not able make ldap server to authenticate ldap utils like ldapadd etc. too, although I believe I could manage to make my java client to send certificate to ldap. Anyway I would like to join you in your expectation to get some info from Kurt!
>
> Cheers, Vadim Tarassov.
>
> -----Ursprüngliche Nachricht-----
> Von: Wai Un [mailto:un@trustcenter.de]
> Gesendet am: Donnerstag, 20. Juni 2002 16:54
> An: vadim.tarassov@winterthur.ch; openldap-software@openldap.org
> Betreff: Re: What is EXTERNAL SASL Mechanism?
>
> Actually this question has been asked for many times.
> Unfortunately, there's still no working solution to the problem!
> My experience is that whether or not user uses that 'TLSClientVerify'
> directive: the OpenSSL software returns some error during the SSL-
> Handshake which says: error while reading the client certificate... etc.
> May be Kurt has a word to say there? Or he would kindly guide us
> how to configure the LDAP server correctly.
> regards,
>
> Wai
>
> Tarassov Vadim wrote:
>
> > Hallo Kurt,
> >
> > OK, sorry that I repeat my question, it is just because I am too new in SASL and LDAP and have to learn a lot ....
> > Here is my understanding of what may happen: LDAP server gets client certificate, reads subject and attempts to interpret it as LDAP user. Is it correct?
> >
> > If server wants to get client identity from certificate it should require it during handshake. I assume that configuration parameter TLSVerifyClient should be "yes". Or may be EXTERNAL SASL mechanism is implemented in such way that authentication is not influenced by TLS configuration of the server?
> >
> > Anyway, is it described somewhere how should I configure LDAP server to use EXTERNAL? Has someone checked if it really works with LDAP provider from sun? Why I don't see EXTERNAL in the list of supportedSASLMechanisms when using SUN's LDAP provider for JNDI (I believe I have latest version of it)?
> >
> > Thanx a lot, Vadim Tarassov.
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> > Gesendet am: Mittwoch, 19. Juni 2002 20:30
> > An: vadim tarassov
> > Cc: openldap-software@OpenLDAP.org
> > Betreff: Re: What is EXTERNAL SASL Mechanism?
> >
> > SASL/EXTERNAL is used to request that an identity established
> > by a lower layer be used at the application layer.  In OpenLDAP,
> > as described in RFC 2829/2830, its used to request the client's
> > TLS authentication identity be used as the LDAP authentication
> > identity, which is then used for authorization purposes.
> >
> > At 02:27 PM 2002-06-18, vadim tarassov wrote:
> > >Hallo everybody,
> > >
> > >I was googling for EXTERNAL SASL Mechanism, but could not find anything what could help me to understand how openldap uses (implements?) it. I will be really glad if someone will explain me in few details.
> > >
> > >Thanx a lot, Vadim Tarassov.