[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL, TLS & Client Certificates
As already noted in the Admin Guide, SASL/EXTERNAL is only offered by slapd
if the server receives a valid client cert from the client. If you follow the
Admin Guide and set up your .ldaprc as required, then you'll see EXTERNAL as
one of your choices. (Also assuming you apply the SASL library patch I posted
to the Cyrus SASL list a few days ago.)
On the server (slapd.conf) you must specify at least:
TLSCACertificate{File|Path}
TLSCertificateFile
TLSCertificateKeyFile
TLSVerifyClient <allow|try|demand>
In ldap.conf you may specify TLS_CACERT. If not in ldap.conf then you must
specify it in your .ldaprc file. You must specify TLS_CERT and TLS_KEY in
your .ldaprc file.
If none of this makes sense, or none of this is obvious from reading the
Guide, then feel free to suggest some other wording to clarify things.
I have no idea what you're referring to when you mention "LDAP/PEM prompts"
in your email. Perhaps you can clarify that point.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of STEWARD, Curtis
(Jamestown)
I'm looking for the best way to lay in a PKI infrastructure for client
certificates on top of LDAP, EXCLUDING Kerberos. The Admin Guide-Using
TLS, FAQ's , http://www.bayour.com/LDAPv3-HOWTO.html,
(is Kerberos centric) have been my main sources. It seems to me
SASL EXTERNAL should give me what I need.I've gotten this far:
Testing simple/anonymous bind
GSSAPI,DIGEST-MD5, & CRAM-MD5
Testing simple/anonymous bind w/SSL/TLS
Both SSL & TLS responds w/PLAIN,LOGIN in addition to above
Testing simple/user bind w/SSL/TLS
Can't pass through the LDAP/PEM prompts
Am I missing something here or is there a better alternative to
SASL? I've been unable to find anything with good SASL EXTERNAL,
cert storage, authentication, steps and example where the cert is
driving all authentication out of LDAP.
Curtis