On 24/06/10 22:13 +0200, Emmanuel Dreyfus wrote:
Dan White <dwhite@olp.net> wrote:You could do SASL EXTERNAL over both, with ldapi:/// using Unix peercred, i.e.: authz-regexp ".*uidNumber=([^,]+),cn=peercred,cn=external,cn=auth" ldap:///ou=People,dc=example,dc=net??one?(uidNumber=$1)That sounds nice, but will it works with the "TLS_REQCERT demand" I have for ldaps:// ?
Try: TLS_REQCERT: try In this case, EXTERNAL should only be offered after successful TLS negotiation, or over a unix domain socket. If TLS negotiation fails, then a SASL bind won't work without selecting another mechanism. -- Dan White