[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL TLS question






Dieter Kluenter writes:

> Hello,

> "Milind Khandekar" <MKhandekar@savi.com> writes:

>> Requirement:
>>
>> Use OpenLDAP with TLS, with server supplying digital certificate and
>> "demand"ing client certificate.  Based on client certificate, bind the
>> client application to an entry.
>>
>> My progress thus far:
>>
>> The two way certificate exchange and client authentication works.
>>
>> Problem:
>>
>> I can't bind the client to an existing entry.
>>
>> I understand that I need to use SASL external.  I just can't figure
>> out how I use it.  I looked around everywhere on OpenLDAP, and I am
>> quite sure that there is a small HOWTO somewhere that will describe
>> exactly what needs to be done.  Can any kind soul point me to it?

> You have to create X.509 certificates for all your users. For this to
> work properly, you might need to change openssl.conf to fit into your
> directory scheme, that is probabely additional ou's c', o's.

> To make use of sasl external mechanism you have to start tls, i.e.
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
> SASL/EXTERNAL authentication started
> SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
> SASL SSF: 0
> dn:cn=dieter kluenter,ou=partner,o=avci,c=de
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

> SASL username is read from the certificate and than parsed against an
> entry, so make sure that the distinguished names are equal.

> -Dieter

I probably have a simple setup for my slapd, but the DN of the certificate
does not have to parsed to match an entry in my directory.  If the client
cert can be verified by the server, client is authenticated.  If a bad
client cert is used, client is not authenticated.  I didn't even have a
sasl-regexp in my slapd.conf to get it to work.  However, Kurt Zeilenga did
suggest to me that I would need to do some mapping of the dn's.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com