Re: SASL EXTERNAL with URLs other than ldapi://

[Igor Brezac <igor@ipass.net>]

On Thu, 10 Feb 2005 rodolfo@ime.unicamp.br wrote:

> Hi!
>
> Well, actually, I am performing tests at the server itself, and my
> ldap.conf file contains:
>
> URI             ldaps://ldap.mydomain.com
> BASE            dc=mydomain,dc=com
> TLS_CACERT      /usr/share/ssl/certs/cacert.pem
> TLS_CERT        /usr/share/ssl/certs/myhost.crt
> TLS_KEY         /usr/share/ssl/certs/myhost.key

You cannot specify TLS_(KEY|CERT) in ldap.conf.  These are user-only 
options (.ldaprc).  See man ldap.conf.

> #TLS_REQCERT    never
>
> where myhost.crt and myhost.key are the same files I am currently using at
> server's setup (as parameters for TLSCertificateFile and
> TLSCertificateKeyFile.  The CA certificate file is also the same).

A client certificate more then likely is going to be different from the 
server certificate.  Do you have your cert DN in your directory or 
have you mapped the cert DN into LDAP DN?

> Ever trying with SSL (ldaps://...), TLS (-Z - or ever -ZZ), SASL with
> GSSAPI, etc, etc, the result is always the same: the "EXTERNAL" SASL
> mechanism doesn't shows up :\
>
> I'm using openldap 2.2.13 and Cyrus SASL 2.1.19 at a Fedora Core 3 Linux.
> My other test box is a FC1, with openldap 2.1.22 and SASL 2.1.15, and its
> behavior is exactly the same :\
>
> ... searching the iNet, I have found some reports of installations in
> which a single "ldapsearch -x -h localhost ..." was able to "magically"
> list the "EXTERNAL" mechanism, but... I could not figure out what is the
> difference between those and mine :\
>
> Btw, does somebody have the "EXTERNAL" sasl mech. available via ldap:// or
> ldaps:// ???

I have it working.  This will only work for ldaps://.  SASL EXTERNAL uses 
TLS for authentication among other things.  SASL EXTERNAL is also 
available over ldapi.

--
Igor