[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS help





--On Friday, November 21, 2003 12:14 PM -0700 Matthew Riedel <mriedel@lanl.gov> wrote:

Hello,

   I'm having an issue between client/server SSL/TLS authentication.
Basically, I want to use TLS, but *not* SASL.  Unfortunately, everytime a
client queries the server, they look for the attribute
"supportedSASLMechanisms", which the server doesn't have, so it reports
"No such object."

here's the log output:

client
======
[root@charles root]# /usr/local/bin/ldapsearch -d4
request 1 done
ldap_sasl_interactive_bind_s: No such object (32)


server ====== [~]{56}# /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d4 daemon_init: ldap:/// ldaps:/// bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) bdb_db_init: Initializing BDB database bdb_db_open: dc=esm,dc=lanl,dc=gov slapd starting connection_get(14) SRCH "" 0 0 0 0 0 filter: (objectClass=*) attrs: supportedSASLMechanisms send_ldap_result: err=0 matched="" text="" connection_get(14)


What I want to know is if there's a way to use TLS w/o SASL? The certificates all negotiate fine, etc. But the client hangs up on this. Any ideas would be *greatly* appreciated. I've been trying to get this stuff to work right for ages.

TLS & SASL are two separate things that you are getting confused.

TLS is an encryption mechanism.
SASL is an authentication mechanism.

To use TLS via ldapsearch, you can add the -ZZZ flag

To do a simple bind that requires no authentication, you use the -x flag to ldapsearch.

So you'd want:

ldapsearch -ZZZ -x <query>

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html