SASL/EXTERNAL Mechanism Help

[Matt <mmaynard@student.math.uwaterloo.ca>]

Hi,

	I am in the early stages of writing a client application that
will connect to slapd using TLS to read various pieces of data from the
LDAP server.  I haev 2 major questinos that I could really use some
direction with :

1) I have been doing some looking into the SASL/EXTERNAL mechanism and it
seems to me that I could somehow set this up to allow the client to
present an X.509 certificate as authentication information.  Is this
correct?  An old software bug logged (ITS #865) that suggests that this
might be possible.

	On major problem - I cant seem to get EXTERNAL to show up as a
supported SASL mechanism. running 
 ldapsearch -x  -s base -b "" -ZZ  supportedsaslmechanisms

generates 
dn:
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5


but no EXTERNAL mechanism.

I am running Debain linux with OpenLDAP v 2.0.11 with Cyrus SASL 1.5.24
Do I need to run a version of LDAP from the HEAD branch, or is my SASL
libraries misconfigured somehow.

2) I have gotten my application to talk over the TLS link to the slapd
server (thanks to looking at the tools/ldap*.c code), and things are
working good, but I really require someway to know that the LDAP server my
application is talking to is trusted.  Basically I would like a way to
verify the certificate the slapd serevr is providing to my client app.  Is
there a way to get the information about the server certificate using the
LDAP library ? the OpenSSL library ?

	Any input or suggestions on where to look would be greatly
appreciated since I seem to have hit a wall on these issues. I have
tried to keep my explanations as breif as possible while making my
goals clear, but if elaboration is required, please dont hesitate to 
ask me. Thanks so much.

Matt Maynard
4B CS University of Waterloo