[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: testing ldaps:// w/ client certificates

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: testing ldaps:// w/ client certificates
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 17 Sep 2001 19:18:08 -0700
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <002d01c13fe4$4b5a7f80$0c01a8c0@fiddle.symas.com>
References: <002c01c13fe1$af3bae00$0c01a8c0@fiddle.symas.com>

At 06:50 PM 2001-09-17, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Howard Chu
>
>> There are some client issues with SASL/EXTERNAL, the SASL library doesn't
>> seem to
>> think that EXTERNAL is a sufficiently secure mechanism with the default
>> secprops.
>> I think if the connection has TLS then we should be doing
>> something with the
>> secprops to tell Cyrus that EXTERNAL is acceptable.
>>
>Just to elaborate on this: slapd sets its default required properties as
>   SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS
>(slapd/sasl.c, slap_sasl_init, line 417)
>
>My Cyrus SASL library has the flags for the EXTERNAL mechanism set to
>   SASL_SEC_NOPLAINTEXT|SASL_SEC_NODICTIONARY

ldap_int_sasl_external() should do the right thing...

Kurt

References:
- RE: testing ldaps:// w/ client certificates
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: testing ldaps:// w/ client certificates
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: testing ldaps:// w/ client certificates
Next by Date: FW: Segfault with TLS
Index(es):
- Chronological
- Thread