[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL EXTERNAL problem
- To: <openldap-software@OpenLDAP.org>
- Subject: SASL EXTERNAL problem
- From: "Ron Trompert" <ron@sara.nl>
- Date: Mon, 9 Aug 2004 17:13:07 +0200
- Content-class: urn:content-classes:message
- Thread-index: AcR+I1/q6AfZO7PfTqqRpkhVVBNE/g==
- Thread-topic: SASL EXTERNAL problem
Dear All,
I want to run an ldap server using TLS and the SASL EXTERNAL mechanism.
The relevant parts of slapd.conf look like:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /export/home/ron/test/ssl/hostcert.pem
TLSCertificateKeyFile /export/home/ron/test/ssl/hostkey.pem
TLSCACertificateFile /export/home/ron/test/ssl/16da7552.0
TLSVerifyClient demand
access to *
by dn="cn=Manager,ou=sara.nl,dc=test,dc=org" write
by
dn.base="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid" read
by
dn.base="CN=mu2.matrix.sara.nl,OU=sara.nl,O=hosts,O=dutchgrid" read
by * none
But when I do a:
ldapsearch -LLL -Y EXTERNAL -H ldaps://localhost:10123 -s sub -b
"ou=sara.nl,dc=test,dc=org" "objectclass=*"
I get only:
SASL/EXTERNAL authentication started
SASL username: CN=mu2.matrix.foo.org,OU=foo.org,O=hosts,O=grid
SASL SSF: 0
and that's it. I don't use sasl-regexp. What is wrong here?
In the server log I see:
SASL Canonicalize [conn=0]:
authcid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
slap_sasl_getdn: id=cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid
[len=52]
==>slap_sasl2dn: converting SASL name
cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid to a DN
slap_sasl_regexp: converting SASL name
cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]:
slapAuthcDN="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
SASL proxy authorize [conn=0]:
authcid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
authzid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
conn=0 op=0 BIND
authcid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
SASL Authorize [conn=0]: proxy authorization allowed
.
.
.
<== slap_sasl_bind: rc=0
conn=0 op=0 BIND
dn="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid" mech=EXTERNAL
ssf=0
do_bind: SASL/EXTERNAL bind:
dn="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid" ssf=0
It looks to me that the autentication bit is OK or am I wrong? What am I
doing wrong here?
Best regards,
Ron Trompert
<ron@sara.nl>