[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL with TLS Authentication



I have been trying for several days to get SASL EXTERNAL working with TLS 
authentication (OpenLDAP 2.0.23 and Cyrus SASL 1.5.27).  I am able to do SASL 
binds with DIGEST-MD5 (so I know SASL works) and can use startTLS with 
'TLSVerifyClient 1' set in my slapd.conf (so I can verify my client certs 
work).  

The relevant output I get from slapd when I run 'ldapsearch -h myserver -b 
'dc=my-domain,dc=com' '(objectclass=*)' -ZZ -O none -Y EXTERNAL' is:
...
do_sasl_bind: dn () mech EXTERNAL
SASL Authorize [conn=6]: "<cert dn here>" as "u:<cert dn 
here>"
slap_sasl_bind: username="u:<cert dn here>" realm="" ssf=0
<== slap_sasl_bind: authorization disallowed
...

ldapsearch's output is:
... 
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication
        additional info: authorization disallowed
...

What am I missing to get the slap_sasl_bind to work?  And out of curiosity 
has anyone gotten this to work?  I've yet to find any success stories in my 
research.    

If and when I get this working, I hope to write a nice HOW-TO for myself and 
everyone else's benefit.

Thank you!

dave