[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL TLS question



Hi,

Kent Soper <dksoper@us.ibm.com> writes:

> Dieter Kluenter writes:
>
>> Hello,
>
>> "Milind Khandekar" <MKhandekar@savi.com> writes:
>
[...]
>> SASL username is read from the certificate and than parsed against an
>> entry, so make sure that the distinguished names are equal.
>
>> -Dieter
>
> I probably have a simple setup for my slapd, but the DN of the certificate
> does not have to parsed to match an entry in my directory.  If the client
> cert can be verified by the server, client is authenticated.  If a bad
> client cert is used, client is not authenticated.  I didn't even have a
> sasl-regexp in my slapd.conf to get it to work.  However, Kurt Zeilenga did
> suggest to me that I would need to do some mapping of the dn's.

That is in principle correct, you don't need a certificate DN that
matches an entry, but if you have acl's that require a specific DN
like
access to dn.subtree=cn=Monitor
        by dn.exact="cn=dieter kluenter,ou=partner,o=avci,c=de" write

sasl has to parse sasl username to DN.

-Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de