[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL / External question

To: openldap-software@OpenLDAP.org
Subject: Re: SASL / External question
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Thu, 06 Mar 2003 11:38:56 +0100
In-reply-to: <1046942483.799.29.camel@linux-integ> (Francois Beretti's message of "06 Mar 2003 10:21:23 +0100")
References: <1046942483.799.29.camel@linux-integ>
User-agent: Gnus/5.090005 (Oort Gnus v0.05) XEmacs/21.4 (Informed Management, i686-pc-linux)

Hi,

Francois Beretti <francois.beretti@enatel.com> writes:

> hello all
>
> I have some question about sasl / external mechanism
>
> As I understand it, thanks to a post from Howard, the authentication dn
> is the dn used in the user certificate
> I also think it can be a modification of this dn by sasl-regexp
>
> But in slapd.conf manpage, in the "sasl-regexp" keyword part,
> it is said that :
> "When an authorization request is received, the SASL USERNAME, REALM,
> and MECHANISM are taken, when available, and combined into a SASL name
> of the form uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth"
>
> what is this "username" and when is it provided by the user ? How is it
> related to the dn of the certificate ?

If you have a user certificate already, try 
ldapwhoami -Y EXTERNAL -ZZ
and you will see your SASL username.
>
> must the dn of the cert be of the form
> "uid=<username>[,cn=<realm>],cn=<mechanism>,cn=auth"
> in order to get the "external" mechanism to be used ?

No, the dn of the certificate should be in the form of your DIT
entry, so the certificate DN can be mapped to the appropriate entry.


-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com
http://www.schevolution.com/tour

References:
- SASL / External question
  - From: Francois Beretti <francois.beretti@enatel.com>

Prev by Date: ldap_simple_bind_s() failed - Protocol error
Next by Date: RE: saslauxprop and libldapdb, auxpropfunc error -7
Index(es):
- Chronological
- Thread