[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaprc with ldaps:// and ldap:// fallback

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: ldaprc with ldaps:// and ldap:// fallback
From: Dan White <dwhite@olp.net>
Date: Fri, 25 Jun 2010 08:03:17 -0500
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <1jkmktp.43equv0vipsM%manu@netbsd.org>
References: <20100624215339.GA6715@dan.olp.net> <1jkmktp.43equv0vipsM%manu@netbsd.org>
User-agent: Mutt/1.5.18 (2008-05-17)

On 25/06/10 05:29 +0200, Emmanuel Dreyfus wrote:

Dan White <dwhite@olp.net> wrote:

Try:

TLS_REQCERT: try

In this case, EXTERNAL should only be offered after successful TLS
negotiation, or over a unix domain socket.

If TLS negotiation fails, then a SASL bind won't work without selecting
another mechanism.


But Idap.conf(5) says "The  server  certificate  is requested. If no
certificate is provided, the  session  proceeds  normally. ", which
suggests that the TLS negociation may succeed without a server
certificate being sent. Is that wrong?


SASL EXTERNAL will only be offered if the server can identify you, or
derive an authentication identity, which it can never do if TLS does not
succeed - since it derives your identity from the contents of the client
certificate.

--
Dan White

References:
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: Dan White <dwhite@olp.net>
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
Next by Date: Slow Email Devliery, Was: ldaprc with ldaps:// and ldap:// fallback
Index(es):
- Chronological
- Thread