RE: testing ldaps:// w/ client certificates

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Howard Chu

> There are some client issues with SASL/EXTERNAL, the SASL library doesn't
> seem to
> think that EXTERNAL is a sufficiently secure mechanism with the default
> secprops.
> I think if the connection has TLS then we should be doing
> something with the
> secprops to tell Cyrus that EXTERNAL is acceptable.
>
Just to elaborate on this: slapd sets its default required properties as
   SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS
(slapd/sasl.c, slap_sasl_init, line 417)

My Cyrus SASL library has the flags for the EXTERNAL mechanism set to
   SASL_SEC_NOPLAINTEXT|SASL_SEC_NODICTIONARY

Since the NOANONYMOUS flag isn't present, the client library skips over this
mechanism, unless you somehow override the settings. By the way, I'm using
Cyrus SASL 1.5.24. If there is a newer version that I should be using, let
me
know. I know this can be overridden in slapd.conf but it seems to me that
slapd doesn't need to set the NOANONYMOUS flag by default.
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>
> > -----Original Message-----
> > From: owner-openldap-devel@OpenLDAP.org
> > [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
>
> > I'm not setup to test this.  If you are, please test
> > HEAD and OPENLDAP_REL_ENG_2 and report any success/failure.
> >
> > Thanks, Kurt
> >
>