[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What is EXTERNAL SASL Mechanism?

To: vadim.tarassov@winterthur.ch, openldap-software@OpenLDAP.org
Subject: Re: What is EXTERNAL SASL Mechanism?
From: Wai Un <un@trustcenter.de>
Date: Thu, 20 Jun 2002 16:53:48 +0200
References: <D5267A3EBA13D511BD5C000629A816950273A93A@C010893.winterthur.ch>

Actually this question has been asked for many times.
Unfortunately, there's still no working solution to the problem!
My experience is that whether or not user uses that 'TLSClientVerify'
directive: the OpenSSL software returns some error during the SSL-
Handshake which says: error while reading the client certificate... etc.
May be Kurt has a word to say there? Or he would kindly guide us
how to configure the LDAP server correctly.
regards,

Wai

Tarassov Vadim wrote:

> Hallo Kurt,
>
> OK, sorry that I repeat my question, it is just because I am too new in SASL and LDAP and have to learn a lot ....
> Here is my understanding of what may happen: LDAP server gets client certificate, reads subject and attempts to interpret it as LDAP user. Is it correct?
>
> If server wants to get client identity from certificate it should require it during handshake. I assume that configuration parameter TLSVerifyClient should be "yes". Or may be EXTERNAL SASL mechanism is implemented in such way that authentication is not influenced by TLS configuration of the server?
>
> Anyway, is it described somewhere how should I configure LDAP server to use EXTERNAL? Has someone checked if it really works with LDAP provider from sun? Why I don't see EXTERNAL in the list of supportedSASLMechanisms when using SUN's LDAP provider for JNDI (I believe I have latest version of it)?
>
> Thanx a lot, Vadim Tarassov.
>
> -----Ursprüngliche Nachricht-----
> Von: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Gesendet am: Mittwoch, 19. Juni 2002 20:30
> An: vadim tarassov
> Cc: openldap-software@OpenLDAP.org
> Betreff: Re: What is EXTERNAL SASL Mechanism?
>
> SASL/EXTERNAL is used to request that an identity established
> by a lower layer be used at the application layer.  In OpenLDAP,
> as described in RFC 2829/2830, its used to request the client's
> TLS authentication identity be used as the LDAP authentication
> identity, which is then used for authorization purposes.
>
> At 02:27 PM 2002-06-18, vadim tarassov wrote:
> >Hallo everybody,
> >
> >I was googling for EXTERNAL SASL Mechanism, but could not find anything what could help me to understand how openldap uses (implements?) it. I will be really glad if someone will explain me in few details.
> >
> >Thanx a lot, Vadim Tarassov.

References:
- AW: What is EXTERNAL SASL Mechanism?
  - From: Tarassov Vadim <Vadim.Tarassov@winterthur.ch>

Prev by Date: synchronization between 2 slapd instances
Next by Date: slapadd can't find libdb
Index(es):
- Chronological
- Thread