[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL EXTERNAL TLS question

To: "'Kent Soper'" <dksoper@us.ibm.com>, "'Dieter Kluenter'" <dieter@dkluenter.de>
Subject: RE: SASL EXTERNAL TLS question
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 6 Aug 2003 09:10:10 -0700
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <OFD97C144F.BFD3B555-ON87256D7A.00558992-86256D7A.00565147@us.ibm.com>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kent Soper

> Dieter Kluenter writes:

> > Hello,
>
> > "Milind Khandekar" <MKhandekar@savi.com> writes:
>
> >> Requirement:
> >>
> >> Use OpenLDAP with TLS, with server supplying digital
> certificate and
> >> "demand"ing client certificate.  Based on client
> certificate, bind the
> >> client application to an entry.
> >>
> >> My progress thus far:
> >>
> >> The two way certificate exchange and client authentication works.
> >>
> >> Problem:
> >>
> >> I can't bind the client to an existing entry.
> >>
> >> I understand that I need to use SASL external.  I just can't figure
> >> out how I use it.  I looked around everywhere on OpenLDAP, and I am
> >> quite sure that there is a small HOWTO somewhere that will describe
> >> exactly what needs to be done.  Can any kind soul point me to it?
>
> > You have to create X.509 certificates for all your users.
> For this to
> > work properly, you might need to change openssl.conf to fit
> into your
> > directory scheme, that is probabely additional ou's c', o's.
>
> > To make use of sasl external mechanism you have to start tls, i.e.
> > -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> > dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
> > SASL/EXTERNAL authentication started
> > SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
> > SASL SSF: 0
> > dn:cn=dieter kluenter,ou=partner,o=avci,c=de
> > -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>
> > SASL username is read from the certificate and than parsed
> against an
> > entry, so make sure that the distinguished names are equal.
>
> > -Dieter
>
> I probably have a simple setup for my slapd, but the DN of
> the certificate
> does not have to parsed to match an entry in my directory.
> If the client
> cert can be verified by the server, client is authenticated.  If a bad
> client cert is used, client is not authenticated.

Correct. SASL authentication merely determines whether the server will
believe the user's assertion of the user's identity. Whether or not the
identity exists in LDAP is not a consideration. That's the whole point of
SASL, it's an external authentication system which uses out-of-band means to
validate an identity.

> I didn't even have a sasl-regexp in my slapd.conf to get it to work.
> However, Kurt Zeilenga did suggest to me that I would need to do some
> mapping of the dn's.

Mappin the DNs is merely a convenience. It's of greatest value when you
support multiple different means of authenticating, and you want to
coordinate them all with an existing user entry in the directory. This is
desirable for some purposes like e.g. pam_ldap, which must look up attributes
of a user after authenticating the user. In this case, you really want the
authentication ID to equate to the DN of an entry in the directory so you can
find the attributes of interest. But if all you needed was a boolean result
is/is-not authenticated, then mapping would be irrelevant.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: SASL EXTERNAL TLS question
  - From: Kent Soper <dksoper@us.ibm.com>

Prev by Date: Re: acl problem Insufficient access
Next by Date: Re: Mapping userPassword to Kerberos 5
Index(es):
- Chronological
- Thread