[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaprc with ldaps:// and ldap:// fallback

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: ldaprc with ldaps:// and ldap:// fallback
From: Dan White <dwhite@olp.net>
Date: Thu, 24 Jun 2010 08:23:55 -0500
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <1jklaf5.1qzfmh7c9rxpiM%manu@netbsd.org>
References: <87mxul1xnp.fsf@magenta.l4b.de> <1jklaf5.1qzfmh7c9rxpiM%manu@netbsd.org>
User-agent: Mutt/1.5.18 (2008-05-17)

On 24/06/10 11:57 +0200, Emmanuel Dreyfus wrote:

Dieter Kluenter <dieter@dkluenter.de> wrote:

No, ldapi:/// doesn't present a certificate, but you may establish a
startTLS session to ldapi:///, in this case the client requests a
server certificate.

Let me rephrase: I would like to specify two LDAP servers in ldaprc- one ldapi:/// with anonymous bind

- one ldaps:// with SASL EXTERNAL for and required server certificate

It seems to me it is not possible.


You could do SASL EXTERNAL over both, with ldapi:/// using Unix peercred,
i.e.:

authz-regexp
  ".*uidNumber=([^,]+),cn=peercred,cn=external,cn=auth"
  ldap:///ou=People,dc=example,dc=net??one?(uidNumber=$1)

--
Dan White

Follow-Ups:
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: ldapsearch using entryCSN
Next by Date: Re: SASL auth not working
Index(es):
- Chronological
- Thread