[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL TLS question






Milind wrote:
> I understand that I need to use SASL external.  I just can't figure out
how I use it.  I looked around
> everywhere on OpenLDAP, and I am quite sure that there is a small HOWTO
somewhere that will
> describe exactly what needs to be done.  Can any kind soul point me to
it?

SASL External HOWTO?  Now that's a good one.  Not covered in the admin
guide and I couldn't find much info on it.  Luckily I found a few bits here
and there and stumbled into success with it.

Command line SASL, EXTERNAL mech setup:
1.  Configure client and server certs (I guess you already have).
      slapd.conf will contain TLS certificate directives as well as
'TLSVerifyClient demand'.
      ldap.conf will contain 'TLS_Req_Cert demand' (default actually).
      .ldaprc or ldaprc will contain client side certificate info.

2.  Check TLS/SSL connection by calling ldapsearch using simple bind
(either ldaps:// or ldap://  '-ZZ'
      check LDAP server output/logs for TLS handshake.

3.  Run another client command to verify available SASL mechanisms
      ldapsearch -x -s base '(objectclass=*)' -H ldap://<server> -ZZ
supportedSASLMechanisms
      (that's what I used)

4.  If everything is configured for client auth and TLS/SSL is used, then
EXTERNAL will be listed.
      You can't install a piece of software to get it, client auth needs to
be config'd and TLS used.

5.  Now you can run clients like this "ldapsearch -Y external -b
dc=myserver,cd=com '(cn=*)' "
      It works if the client cert is accepted.
      I get asked for a password.  Hit return.
      You can also use '-I' if you want.

6.  Use ACLs to control access to directory.

I tried to get the SASL sample server working first (because that's always
the first step for anything SASL!), but I couldn't.

If you need to use SASL's EXTERNAL mechanism from within an application,
use ldap_sasl_interactive_bind_s() and callback code similar to
<openldap>/libraries/liblutil/sasl.c.  That's a whole 'nother set of emails
...

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com