AW: What is EXTERNAL SASL Mechanism?

[Tarassov Vadim <Vadim.Tarassov@winterthur.ch>]

Hallo Kurt,

OK, sorry that I repeat my question, it is just because I am too new in SASL and LDAP and have to learn a lot ....
Here is my understanding of what may happen: LDAP server gets client certificate, reads subject and attempts to interpret it as LDAP user. Is it correct? 

If server wants to get client identity from certificate it should require it during handshake. I assume that configuration parameter TLSVerifyClient should be "yes". Or may be EXTERNAL SASL mechanism is implemented in such way that authentication is not influenced by TLS configuration of the server? 

Anyway, is it described somewhere how should I configure LDAP server to use EXTERNAL? Has someone checked if it really works with LDAP provider from sun? Why I don't see EXTERNAL in the list of supportedSASLMechanisms when using SUN's LDAP provider for JNDI (I believe I have latest version of it)?

Thanx a lot, Vadim Tarassov.

-----Ursprüngliche Nachricht-----
Von: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Gesendet am: Mittwoch, 19. Juni 2002 20:30
An: vadim tarassov
Cc: openldap-software@OpenLDAP.org
Betreff: Re: What is EXTERNAL SASL Mechanism?

SASL/EXTERNAL is used to request that an identity established
by a lower layer be used at the application layer.  In OpenLDAP,
as described in RFC 2829/2830, its used to request the client's
TLS authentication identity be used as the LDAP authentication
identity, which is then used for authorization purposes.

At 02:27 PM 2002-06-18, vadim tarassov wrote:
>Hallo everybody,
>
>I was googling for EXTERNAL SASL Mechanism, but could not find anything what could help me to understand how openldap uses (implements?) it. I will be really glad if someone will explain me in few details.
>
>Thanx a lot, Vadim Tarassov.