[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL TLS question



Hello,

"Milind Khandekar" <MKhandekar@savi.com> writes:

> Requirement:
>
> Use OpenLDAP with TLS, with server supplying digital certificate and
> "demand"ing client certificate.  Based on client certificate, bind the
> client application to an entry.
>
> My progress thus far:
>
> The two way certificate exchange and client authentication works.
>
> Problem:
>
> I can't bind the client to an existing entry.
>
> I understand that I need to use SASL external.  I just can't figure
> out how I use it.  I looked around everywhere on OpenLDAP, and I am
> quite sure that there is a small HOWTO somewhere that will describe
> exactly what needs to be done.  Can any kind soul point me to it?

You have to create X.509 certificates for all your users. For this to
work properly, you might need to change openssl.conf to fit into your
directory scheme, that is probabely additional ou's c', o's.

To make use of sasl external mechanism you have to start tls, i.e.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

SASL username is read from the certificate and than parsed against an
entry, so make sure that the distinguished names are equal.

-Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de