[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL with URLs other than ldapi://

To: openldap-software@OpenLDAP.org
Subject: Re: SASL EXTERNAL with URLs other than ldapi://
From: rodolfo@ime.unicamp.br
Date: Thu, 10 Feb 2005 22:01:20 -0200 (BRST)
Importance: Normal
In-reply-to: <Pine.GSO.4.62.0502101052150.22909@jupiter.portbridge.com>
References: <420B71F3.2090202@ime.unicamp.br> <20050210152547.GA28381@m1.intdus.retail-sc.com> <Pine.GSO.4.62.0502101052150.22909@jupiter.portbridge.com>
User-agent: SquirrelMail/1.4.3a-0.f1.1

Hi!

Well, actually, I am performing tests at the server itself, and my
ldap.conf file contains:

URI             ldaps://ldap.mydomain.com
BASE            dc=mydomain,dc=com
TLS_CACERT      /usr/share/ssl/certs/cacert.pem
TLS_CERT        /usr/share/ssl/certs/myhost.crt
TLS_KEY         /usr/share/ssl/certs/myhost.key
#TLS_REQCERT    never

where myhost.crt and myhost.key are the same files I am currently using at
server's setup (as parameters for TLSCertificateFile and
TLSCertificateKeyFile.  The CA certificate file is also the same).

Ever trying with SSL (ldaps://...), TLS (-Z - or ever -ZZ), SASL with
GSSAPI, etc, etc, the result is always the same: the "EXTERNAL" SASL
mechanism doesn't shows up :\

I'm using openldap 2.2.13 and Cyrus SASL 2.1.19 at a Fedora Core 3 Linux. 
My other test box is a FC1, with openldap 2.1.22 and SASL 2.1.15, and its
behavior is exactly the same :\

... searching the iNet, I have found some reports of installations in
which a single "ldapsearch -x -h localhost ..." was able to "magically"
list the "EXTERNAL" mechanism, but... I could not figure out what is the
difference between those and mine :\

Btw, does somebody have the "EXTERNAL" sasl mech. available via ldap:// or
ldaps:// ???

Thanks very much, folks!!

[]s!
Rodolfo

>
> On Thu, 10 Feb 2005, Jan-Piet Mens wrote:
>
>> On Thu Feb 10 2005 at 15:38:43 CET, Rodolfo Broco Manin wrote:
>>
>>> This may be a silly question, but... how can I use SASL's "EXTERNAL"
>>> mechamism with OpenLDAP over network connections (ldap:// and ldaps://
>>> URLs)?  Here at my site I can see "supportedSASLMechanisms: EXTERNAL"
>>> only when connecting via a ldapi:// URL.
>> ...
>>> (It's not available using TLS or SSL)
>>> # ldapsearch -x -Z -H ldap://localhost -b "" -LLL -s base
>>
>> Try forcing TLS with another -Z or using ldaps://localhost
>>
>> $ ldapsearch -x -ZZ -H ldap://localhost -b "" -LLL -s base
>>                  ^
>>
>> $ ldapsearch -x -H ldaps://localhost -b "" -LLL -s base
>>
>
> You need to setup a client certificate.  I assume your server is properly
> configured for TLS.  See http://www.openldap.org/doc/admin22/tls.html for
> more.
>
> --
> Igor
>

Follow-Ups:
- Re: SASL EXTERNAL with URLs other than ldapi://
  - From: Igor Brezac <igor@ipass.net>

References:
- SASL EXTERNAL with URLs other than ldapi://
  - From: Rodolfo Broco Manin <rodolfo@ime.unicamp.br>
- Re: SASL EXTERNAL with URLs other than ldapi://
  - From: Jan-Piet Mens <jpm@retail-sc.com>
- Re: SASL EXTERNAL with URLs other than ldapi://
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: Re: index_param failed on uniqueMember ?
Next by Date: Re: index_param failed on uniqueMember ?
Index(es):
- Chronological
- Thread