RE: SASL/EXTERNAL (TLS)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:17 PM 8/16/00 -0700, Howard Chu wrote:
>Just a bit of clarification here - I have code that will extract the DN of
>the peer certificate on a TLS session. If there is no peer certificate, it
>returns NULL. I'm
>inserting this into ldap_pvt_tls_get_peer() in libldap/tls.c.
>
>The openssl library routine X509_name_oneline() will return a printable
>version of
>an X.509 name. However, this DN will be in X.500 order, as opposed to LDAP
>order.
>Should the name that ldap_pvt_tls_get_peer() returns be in LDAP order?

The authentication identity can be in any form.  I rather the
form be as "natural" as possible.  That is, if the authentication
identity is derived from an X.509 certificate, the identity
should be "natural" (e.g. X.500) form.

Once you have identity and associate session security
factor, you just need to let SASL know about it.  The
code is already prepped for the call:
#if 0       
            /* we need to let SASL know */
            slap_sasl_external( c, ssf, authid );
#endif  

ssf should be specified as well:
/* security layer strength factor -- an unsigned integer usable by the caller
 *  to specify approximate security layer strength desired.  Roughly
 *  correlated to effective key length for encryption.
 * 0   = no protection
 * 1   = integrity protection only
 * 40  = 40-bit DES or 40-bit RC2/RC4 
 * 56  = DES
 * 112 = triple-DES
 * 128 = 128-bit RC2/RC4/BLOWFISH
 */