[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL / External question



Read the TLS chapter of the Admin Guide. Section 11.1.2:

The DN of a client certificate can be used directly as an authentication DN.


It means what it says - when you authenticate using a certificate, the cert DN is your authentication DN. Period.

This section also goes on to say that you can execute mapping rules for these DNs if you need to, using the sasl-regexp rules.

SASL EXTERNAL doesn't necessarily follow any of the rules for standard SASL mechanisms. Since it is, by definition, using a system external to SASL itself, the name scheme is completely outside of SASL's control. When you use SASL EXTERNAL with TLS, you get the DN of the client certificate, you don't get the DN format that other SASL mechanisms get. Once you have this DN, you can map it to anything else if you need to. But for the most part you should be able to just use it as-is.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Francois
> Beretti
> Sent: Thursday, March 06, 2003 1:21 AM
> To: Liste OpenLDAP Software
> Subject: SASL / External question
> 
> 
> hello all
> 
> I have some question about sasl / external mechanism
> 
> As I understand it, thanks to a post from Howard, the 
> authentication dn
> is the dn used in the user certificate
> I also think it can be a modification of this dn by sasl-regexp
> 
> But in slapd.conf manpage, in the "sasl-regexp" keyword part,
> it is said that :
> "When an authorization request is received, the SASL USERNAME, REALM,
> and MECHANISM are taken, when available, and combined into a SASL name
> of the form uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth"
> 
> what is this "username" and when is it provided by the user ? 
> How is it
> related to the dn of the certificate ?
> 
> must the dn of the cert be of the form
> "uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth"
> in order to get the "external" mechanism to be used ?
> 
> I read the whole doc, but I think that it is not very clear 
> about SASL /
> External
> I understand that the openldap developpers must be _very_ busy, so I
> propose to make an add-on to the doc about sasl external once I
> understand it, if noone else do it.
> 
> regards
> 
> François Beretti
> 
> 
>