[Date Prev][Date Next]
Re: SASL EXTERNAL TLS question
Kent Soper <firstname.lastname@example.org> writes:
> Dieter Kluenter writes:
>> "Milind Khandekar" <MKhandekar@savi.com> writes:
>> SASL username is read from the certificate and than parsed against an
>> entry, so make sure that the distinguished names are equal.
> I probably have a simple setup for my slapd, but the DN of the certificate
> does not have to parsed to match an entry in my directory. If the client
> cert can be verified by the server, client is authenticated. If a bad
> client cert is used, client is not authenticated. I didn't even have a
> sasl-regexp in my slapd.conf to get it to work. However, Kurt Zeilenga did
> suggest to me that I would need to do some mapping of the dn's.
That is in principle correct, you don't need a certificate DN that
matches an entry, but if you have acl's that require a specific DN
access to dn.subtree=cn=Monitor
by dn.exact="cn=dieter kluenter,ou=partner,o=avci,c=de" write
sasl has to parse sasl username to DN.
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521