[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL Mechanism Help

First off, I want to thank Kurt for his reply.  I just have a couple
clarifications to request.....

On Sat, 28 Jul 2001, Kurt D. Zeilenga wrote:

> >supported SASL mechanism. running
> > ldapsearch -x  -s base -b "" -ZZ  supportedsaslmechanisms
> > 
> >generates
> >dn:
> >supportedSASLMechanisms: LOGIN
> >supportedSASLMechanisms: PLAIN
> >supportedSASLMechanisms: DIGEST-MD5
> >supportedSASLMechanisms: CRAM-MD5  
> >
> >
> >but no EXTERNAL mechanism.
> Yes, it's not available unless the client has asserted
> its identity using a certificate.
Does anyone have any examples of client code that send a certificae to the
server ?  I am not quite sure how to test this out.  Also, I was wondering
if anyone on the list had any success using client certificates for
authentication purposes ?  

	Any tips on how to start, what to read, etc would be greatly

> >2) I have gotten my application to talk over the TLS link to the slapd
> >server (thanks to looking at the tools/ldap*.c code), and things are
> >working good, but I really require someway to know that the LDAP server my
> >application is talking to is trusted.  Basically I would like a way to
> >verify the certificate the slapd serevr is providing to my client app. Is
> >there a way to get the information about the server certificate using the
> >LDAP library ? the OpenSSL library ?
> If the servers is listening on ldaps://, you can use OpenSSL's
> builtin client to view the server's certificate.
	Would that be the openSSL s_client mode ?  I am looking for a way
to verify that the LDAP server my client application connects to is the
server that the client trusts.  Has anyone written a client using the LDAP
library that does this ?  It would be best if there was someway that I
could get the certificate information in my client (like Netscape does) so
that I can compare it to a list of known certificates.  I noticed that
when running the ldap* tools in -Z mode (TLS enabled) with debugging set
high, I see parts of the certificate in the debug information - does the
LDAP server send the certificate to the client ?  Is there anyway for me
to get access to this information ?

Thanks in advance

Matt Maynard
4B CS University of Waterloo