[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: client authentication using TLS/SASL (ITS#865)
Hello, Kurt!
Here is a partial success message. I have successfully setup an openldap
service authenticated by TLS with client certificates. However, it has
been a bit of a hassle and I list here the things I had to do:
1. As already mentioned I have to use the -X option. All clients enter a
never-ending loop if the -X credentials are not supplied. I.e. Any
combination of -ZZ and -Y EXTERNAL without -X hangs.
2. I have to use -O none option to get EXTERNAL into the list of
mechanisms accepted by the client. In a succesfull connection I get an
ssf=0 display regardless of encryption strength in use (should be 128 or
162). My understanding about SASL is currently rather limited but I
suspect that ssf=0 is the reason that the EXTERNAL mechanism gets refused
if one omit -O none at the client. The server happily continues
regardless of the sasl-secprops settings in slapd.conf. In my succesfull
setup I used the default settings on the server side.
3. I had a hard time to figure out what the correct setting of -X is. The
certificate I use on the client side has the openssl display name of
$ openssl x509 -subject -noout -in src/SSL/olaf4c.pem
subject=/C=DE/L=Baldham/O=/OU=/CN=Olaf Schlueter
4/Email=olaf.schlueter@planet-interkom.de
I learned to pass all sasl_authorize checks if I use the -X option like
that:
-X 'u:/C=DE/L=Baldham/O=/OU=/CN=Olaf Schlueter
4/Email=olaf.schlueter@planet-interkom.de'
No need to hassle around with the proxy functionality then. Looks like
the automatic derivation of the authz identity at the server side is not
working yet.
4. I had to fix a line in servers/slapd/sasl.c. I am pretty sure that the
fix is not correct but has been necessary to make things work. I include
the diff in this message. The response parameter no longer used has been
screwed in the bv_len part, causing ber_printf to fail upon assembling
the response message.
Another bug found during the course:
ldapmodrdn defaults to authmethod LDAP_SIMPLE, making it impossible to
activated SASL authentication. I include my diff for that bug too.
Regards, OS
>>>>>>>>>>>>>>>>>> Ursprüngliche Nachricht <<<<<<<<<<<<<<<<<<
Am 01.11.00, 22:07:28, schrieb "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> zum
Thema Re: client authentication using TLS/SASL (ITS#865):
> At 07:54 PM 11/1/00 +0000, Olaf Schlüter wrote:
> >There seems also some work remaining on the server side. Following your
> >hint, I fixed cyrus.c to set a authid.
> I have changes in HEAD which should fix the client side.
> Please test.
> As far as the 2.0 server goes, slapd doesn't support SASL proxying.
> You should not specify an authorization identity. That is, don't
> use -X. slapd will derive an authorization identity from the
> TLS authentication identity. It likely will be quite ugly,
> but would should be able to specify ACL which grant desired
> access.
> There is experimental proxying support in HEAD as well as
> identity mapping features. See devel list archives for details.
> Kurt=== cd /root/ldap/servers/slapd/
=== cvs -d :pserver:anonymous@cvs.OpenLDAP.org:/repo/OpenLDAP diff -u sasl.c
Index: sasl.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/sasl.c,v
retrieving revision 1.49
diff -u -r1.49 sasl.c
--- sasl.c 2000/10/12 17:02:31 1.49
+++ sasl.c 2000/11/04 21:41:29
@@ -546,7 +546,7 @@
send_ldap_sasl( conn, op, rc,
NULL, NULL, NULL, NULL,
- response.bv_len ? &response : NULL );
+ /* response.bv_len ? &response :*/ NULL );
} else {
send_ldap_result( conn, op, rc,=== cd /root/ldap/clients/tools/
=== cvs -d :pserver:anonymous@cvs.OpenLDAP.org:/repo/OpenLDAP diff -u ldapmodrdn.c
Index: ldapmodrdn.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/clients/tools/ldapmodrdn.c,v
retrieving revision 1.73
diff -u -r1.73 ldapmodrdn.c
--- ldapmodrdn.c 2000/09/19 18:47:22 1.73
+++ ldapmodrdn.c 2000/11/04 21:49:10
@@ -113,7 +113,7 @@
infile = NULL;
not = contoper = verbose = remove = want_bindpw =
debug = manageDSAit = referrals = 0;
- authmethod = LDAP_AUTH_SIMPLE;
+ authmethod = -1;
version = -1;
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : prog + 1;