Re: SASL Mech EXTERNAL disabled?

["Dieter Kluenter" <dieter@dkluenter.de>]

Philip Guenther <guenther+ldapsoft@sendmail.com> writes:

> On Mon, 28 Sep 2009, Dieter Kluenter wrote:
>> after updating to openldap-2.4.18, tls enabled sasl external mechanism
>> seems to be disabled, but it is still enabled via ldapi://
> ...
>> Is this a bug, or has something changed which I haven't noticed?
>
> Hard to say whether this is a change when you don't say what version you 
> updated from...
>
> The SASL EXTERNAL mechanism is only availible to ldap or ldaps connections 
> if
> 1) the server requests a certificate (TLSVerifyClient option is set to 
>    something other than "never"),
> 2) the client provides a certificate (TLS_CERT and TLS_KEY settings are
>    used), AND
> 3) the server can verify the client's cert (the cert is under a CA 
>    available to slapd via TLSCACertificateFile or TLSCACertificatePath
>    and passes the various validity checks, etc)
>
> Do those options all still look correct in your configs and are the CAs 
> still where you expect?  Did you switch from building against OpenSSL to 
> GNUtls or make any other build-time configuration changes?

The update was from 2.4.17 to 2.4.18 build with openssl.

,----[ ldaprc ]
| BASE o=avci,c=de
| TLS_CACERT      /home/dieter/certs/avciCA.pem
| TLS_CERT        /home/dieter/certs/dkluenter.pem
| TLS_KEY         /home/dieter/certs/dkluenter-key.pem
| TLS_CIPHER_SUITE        HIGH
| TLS_REQCERT     demand
`----

,----[ cn=config.ldif ]
| olcTLSCACertificateFile: /etc/openldap/certs/avciCA.pem
| olcTLSCertificateFile: /etc/openldap/certs/magenta.pem
| olcTLSCertificateKeyFile: /etc/openldap/certs/magenta-key.pem
| olcTLSCipherSuite: HIGH:MEDIUM
| olcTLSVerifyClient: demand
`----

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E