[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Mech EXTERNAL disabled?



On Mon, 28 Sep 2009, Dieter Kluenter wrote:
> after updating to openldap-2.4.18, tls enabled sasl external mechanism
> seems to be disabled, but it is still enabled via ldapi://
...
> Is this a bug, or has something changed which I haven't noticed?

Hard to say whether this is a change when you don't say what version you 
updated from...

The SASL EXTERNAL mechanism is only availible to ldap or ldaps connections 
if
1) the server requests a certificate (TLSVerifyClient option is set to 
   something other than "never"),
2) the client provides a certificate (TLS_CERT and TLS_KEY settings are
   used), AND
3) the server can verify the client's cert (the cert is under a CA 
   available to slapd via TLSCACertificateFile or TLSCACertificatePath
   and passes the various validity checks, etc)

Do those options all still look correct in your configs and are the CAs 
still where you expect?  Did you switch from building against OpenSSL to 
GNUtls or make any other build-time configuration changes?


Philip Guenther