[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL TLS question

To: openldap-software@OpenLDAP.org
Subject: Re: SASL EXTERNAL TLS question
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Wed, 06 Aug 2003 20:28:34 +0200
In-reply-to: <OFD97C144F.BFD3B555-ON87256D7A.00558992-86256D7A.00565147@us.ibm.com> (Kent Soper's message of "Wed, 6 Aug 2003 10:43:03 -0500")
References: <OFD97C144F.BFD3B555-ON87256D7A.00558992-86256D7A.00565147@us.ibm.com>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Hi,

Kent Soper <dksoper@us.ibm.com> writes:

> Dieter Kluenter writes:
>
>> Hello,
>
>> "Milind Khandekar" <MKhandekar@savi.com> writes:
>
[...]
>> SASL username is read from the certificate and than parsed against an
>> entry, so make sure that the distinguished names are equal.
>
>> -Dieter
>
> I probably have a simple setup for my slapd, but the DN of the certificate
> does not have to parsed to match an entry in my directory.  If the client
> cert can be verified by the server, client is authenticated.  If a bad
> client cert is used, client is not authenticated.  I didn't even have a
> sasl-regexp in my slapd.conf to get it to work.  However, Kurt Zeilenga did
> suggest to me that I would need to do some mapping of the dn's.

That is in principle correct, you don't need a certificate DN that
matches an entry, but if you have acl's that require a specific DN
like
access to dn.subtree=cn=Monitor
        by dn.exact="cn=dieter kluenter,ou=partner,o=avci,c=de" write

sasl has to parse sasl username to DN.

-Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

References:
- Re: SASL EXTERNAL TLS question
  - From: Kent Soper <dksoper@us.ibm.com>

Prev by Date: Re: Mapping userPassword to Kerberos 5
Next by Date: Re: LDAP v2.1 schema
Index(es):
- Chronological
- Thread