[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic SASL setup instructions

Well, I've learned some more of interest here. First, if you follow the
directions on
this URL

you can set your bind DN in the prefs.js file. When you do this, Netscape
will bind
directly to the given DN, instead of first binding anonymously to search for
user's DN. (It will still prompt you for the password.) Interestingly
enough, my logs
of this transaction shows that slapd returns error 48 (0x30), Inappropriate
Auth, but
Netscape ignores it completely, and issues your desired search request and
displays the results.

Also, using openssl's s_server command as a debug/test platform, I was able
to check out
some other things with the anonymous bind. First I copied the 14 bytes of
the successful bind response into a file, for feeding into sserver, then ran
the Netscape client against it.
(Fyi, these 14 bytes are 300c 0201 0161 070a 0100 0400 0400.) I found that
replacing the
61 with anything else would give that corresponding value as the error code
that Netscape displayed. (Except if I used 00, in which case Netscape
reported error 0xffffffff.)

Clearly there's something wrong with their BER decoding when SSL is in use.
Exactly what
is wrong is still unclear, but I get the impression that some bytes are out
of order...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Edwin Chiu
> Sent: Wednesday, October 18, 2000 6:13 AM
> To: Kurt D. Zeilenga
> Cc: Jim Hud; openldap-software@OpenLDAP.org
> Subject: Re: Basic SASL setup instructions
> Have you tried using just the Address Book in Netscape? I've never had
> any success with ldaps:// in Netscape... and unfortunately, LDAP doesn't
> seem to be present in Mozilla yet ;(
> The Address Book should support at minimum, SSL with client auth. I'm
> fairly certain it should support the use of client certs as well....
> Edwin
> "Kurt D. Zeilenga" wrote:
> > At 11:15 PM 10/17/00 +0100, Jim Hud wrote:
> > >Is it currently being worked on?
> >
> > Yes.
> >
> > >I was hoping to use TLS/SSL but neither
> > >Netscape or Outlook Express will work with authenticated SSL
> >
> > Note that client's TLS (SSL) certificate is not used establish
> > LDAP authorization unless the client requests a SASL/EXTERNAL
> > bind.
> >
> > >to slapd so SASL becomes the next best option,
> >
> > I didn't realize that Netscape and Microsoft clients had
> > implemented any SASL authentication methods yet.  I'm under
> > the impression they only support simple bind, but that they
> > did support this over both LDAP and LDAP over SSL.
> >
> > Netscape "smart" (anon search + simple bind) authentication
> > over ldaps:// doesn't work for me [the 0x61 issue others have
> > reported]... but simple bind works fine.  See FAQ for details
> > on how to provide a bind DN to Netscape.
> >   http://www.openldap.org/faq/index.cgi?file=138
> >
> > BTW, the test user "uid=test,dc=openldap,dc=org" w/
> > password "secret" is now available for testing purposes
> > at ldap://ldap.openldap.org/ & ldaps://ldap.openldap.org/
> >
> > >but I need the LDAP database to hold the id's and passwords.
> > >
> > >How can I help this along by adding my efforts?
> >
> > By enquiring on the developer's list.