[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: client authentication using TLS/SASL (ITS#865)

Hello, Kurt!

Here is a partial success message. I have successfully setup an openldap 
service authenticated by TLS with client certificates. However, it has 
been a bit of a hassle and I list here the things I had to do:

1. As already mentioned I have to use the -X option. All clients enter a 
never-ending loop if the -X credentials are not supplied. I.e. Any 
combination of -ZZ and -Y EXTERNAL without -X hangs.

2. I have to use -O none option to get EXTERNAL into the list of 
mechanisms accepted by the client. In a succesfull connection I get an 
ssf=0 display regardless of encryption strength in use (should be 128 or 
162). My understanding about SASL is currently rather limited but I 
suspect that ssf=0 is the reason that the EXTERNAL mechanism gets refused 
if one omit -O none at the client. The server happily continues 
regardless of the sasl-secprops settings in slapd.conf. In my succesfull 
setup I used the default settings on the server side.

3. I had a hard time to figure out what the correct setting of -X is. The 
certificate I use on the client side has the openssl display name of 

$ openssl x509 -subject -noout -in src/SSL/olaf4c.pem
subject=/C=DE/L=Baldham/O=/OU=/CN=Olaf Schlueter 

I learned to pass all sasl_authorize checks if I use the -X option like 
-X 'u:/C=DE/L=Baldham/O=/OU=/CN=Olaf Schlueter 

No need to hassle around with the proxy functionality then. Looks like 
the automatic derivation of the authz identity at the server side is not 
working yet.

4. I had to fix a line in servers/slapd/sasl.c. I am pretty sure that the 
fix is not correct but has been necessary to make things work. I include 
the diff in this message. The response parameter no longer used has been 
screwed in the bv_len part, causing ber_printf to fail upon assembling 
the response message.

Another bug found during the course:

ldapmodrdn defaults to authmethod LDAP_SIMPLE, making it impossible to 
activated SASL authentication. I include my diff for that bug too.

Regards, OS

>>>>>>>>>>>>>>>>>> Ursprüngliche Nachricht <<<<<<<<<<<<<<<<<<

Am 01.11.00, 22:07:28, schrieb "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> zum 
Thema Re: client authentication using TLS/SASL (ITS#865):

> At 07:54 PM 11/1/00 +0000, Olaf Schlüter wrote:
> >There seems also some work remaining on the server side. Following your
> >hint, I fixed cyrus.c to set a authid.

> I have changes in HEAD which should fix the client side.
> Please test.

> As far as the 2.0 server goes, slapd doesn't support SASL proxying.
> You should not specify an authorization identity.  That is, don't
> use -X.  slapd will derive an authorization identity from the
> TLS authentication identity.  It likely will be quite ugly,
> but would should be able to specify ACL which grant desired
> access.

> There is experimental proxying support in HEAD as well as
> identity mapping features.  See devel list archives for details.

> Kurt=== cd /root/ldap/servers/slapd/
=== cvs -d :pserver:anonymous@cvs.OpenLDAP.org:/repo/OpenLDAP diff -u sasl.c

Index: sasl.c
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/sasl.c,v
retrieving revision 1.49
diff -u -r1.49 sasl.c
--- sasl.c	2000/10/12 17:02:31	1.49
+++ sasl.c	2000/11/04 21:41:29
@@ -546,7 +546,7 @@
 				send_ldap_sasl( conn, op, rc,
-					response.bv_len ? &response : NULL );
+						/* response.bv_len ? &response :*/ NULL );
 			} else {
 				send_ldap_result( conn, op, rc,=== cd /root/ldap/clients/tools/
=== cvs -d :pserver:anonymous@cvs.OpenLDAP.org:/repo/OpenLDAP diff -u ldapmodrdn.c

Index: ldapmodrdn.c
RCS file: /repo/OpenLDAP/pkg/ldap/clients/tools/ldapmodrdn.c,v
retrieving revision 1.73
diff -u -r1.73 ldapmodrdn.c
--- ldapmodrdn.c	2000/09/19 18:47:22	1.73
+++ ldapmodrdn.c	2000/11/04 21:49:10
@@ -113,7 +113,7 @@
     infile = NULL;
     not = contoper = verbose = remove = want_bindpw =
 		debug = manageDSAit = referrals = 0;
-    authmethod = LDAP_AUTH_SIMPLE;
+    authmethod = -1;
 	version = -1;
     prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : prog + 1;