[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl / external : unable to get TLS client DN



have you defined in  your .ldaprc the vars TLS_CERT and TLS_KEY?
these are needed for SASL/EXTERNAL

-----Original Message-----
From: Francois Beretti [mailto:francois.beretti@enatel.com]
Sent: Thursday, March 06, 2003 12:19 PM
To: Liste OpenLDAP Software
Subject: sasl / external : unable to get TLS client DN


Hello all

back and still fighting with sasl external...
I hope you can help me
I have created a client certificate with openssl
and the certificate dn seems to be :
C=FR, ST=France, L=Gennevilliers, O=Enatel,
CN=francois/Email=francois.beretti@enatel.com

I have a user "cn=francois,ou=people,dc=enatel,dc=local"
in my directory

Since I want to use sasl external as an authentification
method, I put in my slapd.conf :

sasl-host linux-integ.enatel.local
sasl-regexp C=FR,ST=France,L=Gennevilliers,O=Enatel,CN=(.*)/Email=(.*)
cn=$1,ou=people,dc=enatel,dc=local

sasl-regexp is in only one line (my mail client split it)

but when I enter :

[francois@linux-integ francois]$ ldapsearch -ZZ -Y EXTERNAL
ldap_sasl_interactive_bind_s: Local error (82)

in my logs I got :
unable to get TLS client DN error=49

I think I'm not using the right replacement string
Anyone can help me ?

Maybe some config is needed on the saslauthd side,
but I have found nothing on the web...



regards,

Francois


here are my slapd logs (loglevel -1) :


 daemon: activity on 1 descriptors
 daemon: new connection on 10
 str2filter "(objectclass=*)"
 begin get_filter
 PRESENT
 end get_filter 0
 conn=0 fd=10 ACCEPT from IP=10.10.50.1:1718 (IP=0.0.0.0:389)
 daemon: added 10r
 daemon: activity on:

 daemon: select: listen=6 active_threads=0 tvp=NULL
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: activity on 1 descriptors
 daemon: activity on:
  10r

 daemon: read activity on 10
 connection_get(10)
 connection_get(10): got connid=0
 connection_read(10): checking for input on id=0
 ber_get_next on fd 10 failed errno=11 (Resource temporarily
unavailable)
 do_extended
 daemon: select: listen=6 active_threads=1 tvp=NULL
 do_extended: oid=1.3.6.1.4.1.1466.20037
 daemon: select: listen=7 active_threads=1 tvp=NULL
 send_ldap_extended err=0 oid= len=0
 send_ldap_response: msgid=1 tag=120 err=0
 daemon: activity on 1 descriptors
 daemon: activity on:
  10r

 daemon: read activity on 10
 connection_get(10)
 connection_get(10): got connid=0
 connection_read(10): checking for input on id=0
 daemon: select: listen=6 active_threads=0 tvp=NULL
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: activity on 1 descriptors
 daemon: activity on:
  10r

 daemon: read activity on 10
 connection_get(10)
 connection_get(10): got connid=0
 connection_read(10): checking for input on id=0

<<<<<<<<
 connection_read(10): unable to get TLS client DN error=49 id=0
>>>>>>>>

 daemon: select: listen=6 active_threads=0 tvp=NULL
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: activity on 1 descriptors
 daemon: activity on:
  10r

 daemon: read activity on 10
 connection_get(10)
 connection_get(10): got connid=0
 connection_read(10): checking for input on id=0
 ber_get_next on fd 10 failed errno=0 (Success)
 connection_read(10): input error=-2 id=0, closing.
 connection_closing: readying conn=0 sd=10 for close
 connection_close: conn=0 sd=10
 daemon: removing 10
 conn=0 fd=10 closed
 daemon: select: listen=6 active_threads=0 tvp=NULL
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: activity on 1 descriptors
 daemon: select: listen=6 active_threads=0 tvp=NULL
 daemon: select: listen=7 active_threads=0 tvp=NULL
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.