[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL Mech EXTERNAL disabled?
- To: Dieter Kluenter <dieter@dkluenter.de>
- Subject: Re: SASL Mech EXTERNAL disabled?
- From: Philip Guenther <guenther+ldapsoft@sendmail.com>
- Date: Mon, 28 Sep 2009 18:45:15 -0700
- Cc: openldap-software@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=spork.dkim; t=1254188717; bh=sMzLkDiwwsjusCt6Pj4RnDMDdvpwxN60248C ihJGYP4=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID: References:MIME-Version:Content-Type; b=nSVq7wi+3rijwILoI1JSlmbP19 64UOTHXKVNMmPAI+WInAUDjTEHFqbFuzbjHMbPmmcpl+uNgsAoqhjGvOEBbp9WXvAPK mBS5f3waoj4N/y0FNRccL1aItqUHg9tYgZ1ve/AzFX2bytTn8yunjQUK3/b1Gs7TyLA KeWiBK/BxBM=
- In-reply-to: <87fxa6ddkl.fsf@magenta.l4b.de>
- References: <87fxa6ddkl.fsf@magenta.l4b.de>
- User-agent: Alpine 2.00 (BSO 1167 2008-08-23)
On Mon, 28 Sep 2009, Dieter Kluenter wrote:
> after updating to openldap-2.4.18, tls enabled sasl external mechanism
> seems to be disabled, but it is still enabled via ldapi://
...
> Is this a bug, or has something changed which I haven't noticed?
Hard to say whether this is a change when you don't say what version you
updated from...
The SASL EXTERNAL mechanism is only availible to ldap or ldaps connections
if
1) the server requests a certificate (TLSVerifyClient option is set to
something other than "never"),
2) the client provides a certificate (TLS_CERT and TLS_KEY settings are
used), AND
3) the server can verify the client's cert (the cert is under a CA
available to slapd via TLSCACertificateFile or TLSCACertificatePath
and passes the various validity checks, etc)
Do those options all still look correct in your configs and are the CAs
still where you expect? Did you switch from building against OpenSSL to
GNUtls or make any other build-time configuration changes?
Philip Guenther