[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL EXTERNAL with TLS Authentication

The support here is pretty limited in 2.0.x, and it doesn't look like this
any chance of working. It does work in the HEAD, and the 2.1alpha code
should be OK as well. In particular, the SASL auth code in 2.0.x expects
usernames returned from the SASL library to be simple names, not DNs. As
such, it's impossible for it to be used with an X.509 cert.

The alpha code supports a config file keyword "sasl-external-x509dn-convert"
that will rewrite a cert's X.500-style DN into an LDAP-style DN. It also
supports a "sasl-regexp" keyword for mapping arbitrary SASL names into
usable DNs. One or both of these features is necessary for successfully

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David H. Hawes
> Sent: Wednesday, March 06, 2002 1:58 PM
> To: OpenLDAP-software@OpenLDAP.org
> Subject: SASL EXTERNAL with TLS Authentication
> I have been trying for several days to get SASL EXTERNAL working with TLS
> authentication (OpenLDAP 2.0.23 and Cyrus SASL 1.5.27).  I am
> able to do SASL
> binds with DIGEST-MD5 (so I know SASL works) and can use startTLS with
> 'TLSVerifyClient 1' set in my slapd.conf (so I can verify my client certs
> work).
> The relevant output I get from slapd when I run 'ldapsearch -h
> myserver -b
> 'dc=my-domain,dc=com' '(objectclass=*)' -ZZ -O none -Y EXTERNAL' is:
> ...
> do_sasl_bind: dn () mech EXTERNAL
> SASL Authorize [conn=6]: "<cert dn here>" as "u:<cert dn
> here>"
> slap_sasl_bind: username="u:<cert dn here>" realm="" ssf=0
> <== slap_sasl_bind: authorization disallowed
> ...
> ldapsearch's output is:
> ...
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Inappropriate authentication
>         additional info: authorization disallowed
> ...
> What am I missing to get the slap_sasl_bind to work?  And out of
> curiosity
> has anyone gotten this to work?  I've yet to find any success
> stories in my
> research.
> If and when I get this working, I hope to write a nice HOW-TO for
> myself and
> everyone else's benefit.
> Thank you!
> dave