[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL, TLS & Client Certificates

To: "'STEWARD, Curtis \(Jamestown\)'" <Curtis.Steward@trw.com>, "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Subject: RE: SASL, TLS & Client Certificates
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 24 Oct 2002 03:36:26 -0700
Importance: Normal
In-reply-to: <82B2E334C659D511A7500008C709B5970E361C@jamesx.jms.lucascargo.com>

As already noted in the Admin Guide, SASL/EXTERNAL is only offered by slapd
if the server receives a valid client cert from the client. If you follow the
Admin Guide and set up your .ldaprc as required, then you'll see EXTERNAL as
one of your choices. (Also assuming you apply the SASL library patch I posted
to the Cyrus SASL list a few days ago.)

On the server (slapd.conf) you must specify at least:
TLSCACertificate{File|Path}
TLSCertificateFile
TLSCertificateKeyFile
TLSVerifyClient <allow|try|demand>

In ldap.conf you may specify TLS_CACERT. If not in ldap.conf then you must
specify it in your .ldaprc file. You must specify TLS_CERT and TLS_KEY in
your .ldaprc file.

If none of this makes sense, or none of this is obvious from reading the
Guide, then feel free to suggest some other wording to clarify things.

I have no idea what you're referring to when you mention "LDAP/PEM prompts"
in your email. Perhaps you can clarify that point.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of STEWARD, Curtis
(Jamestown)

I'm looking for the best way to lay in a PKI infrastructure for client
certificates on top of LDAP, EXCLUDING Kerberos.  The Admin Guide-Using
TLS, FAQ's , http://www.bayour.com/LDAPv3-HOWTO.html,
(is Kerberos centric) have been my main sources.  It seems to me
SASL EXTERNAL should give me what I need.I've gotten this far:
        Testing simple/anonymous bind
                GSSAPI,DIGEST-MD5, & CRAM-MD5
        Testing simple/anonymous bind w/SSL/TLS
                Both SSL & TLS responds w/PLAIN,LOGIN in addition to above
        Testing simple/user bind w/SSL/TLS
                Can't pass through the LDAP/PEM prompts
Am I missing something here or is there a better alternative to
SASL?  I've been unable to find anything with good SASL EXTERNAL,
cert storage, authentication, steps and example where the cert is
driving all authentication out of LDAP.
Curtis

Follow-Ups:
- Re: SASL, TLS & Client Certificates
  - From: Wai Un <un@trustcenter.de>

References:
- SASL, TLS & Client Certificates
  - From: "STEWARD, Curtis (Jamestown)" <Curtis.Steward@trw.com>

Prev by Date: Re: Help in setting up Ldap Address book
Next by Date: slapd 2.1.8 doesn't start
Index(es):
- Chronological
- Thread