[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaprc with ldaps:// and ldap:// fallback



On 24/06/10 22:13 +0200, Emmanuel Dreyfus wrote:
Dan White <dwhite@olp.net> wrote:

You could do SASL EXTERNAL over both, with ldapi:/// using Unix peercred,
i.e.:

authz-regexp
   ".*uidNumber=([^,]+),cn=peercred,cn=external,cn=auth"
   ldap:///ou=People,dc=example,dc=net??one?(uidNumber=$1)

That sounds nice, but will it works with the "TLS_REQCERT demand" I have
for ldaps:// ?

Try:

TLS_REQCERT: try

In this case, EXTERNAL should only be offered after successful TLS
negotiation, or over a unix domain socket.

If TLS negotiation fails, then a SASL bind won't work without selecting
another mechanism.

--
Dan White