[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL EXTERNAL TLS question



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Milind Khandekar

> Hmm, so let me restate my requirement:
> Requirement:
> 
> Use OpenLDAP with TLS, with server supplying digital 
> certificate and "demand"ing client certificate.  Based on 
> client certificate, bind the client application to an entry.
> 
> Like Howard and Kent say, my LDAP client application does get 
> authenticated to the server.  And I don't need to involve 
> SASL at all.

Not true; the SASL library is still involved even though it does (next to)
nothing in this case. You must perform a SASL Bind with the EXTERNAL
mechanism in order to authenticate using the certificates.

> However, I have the following default access 
> control mechanism:
> 
> access to *
> 	by self write
> 	by users read
> 	by anonymous auth
> 
> The way I read the above policy is that if I created an 
> entry, I can write to it, others can only read.  So, if one 
> client application created, say, three entries of a 
> particular objectClass, only that application can modify it.

No. "self" means the one entry whose DN matches your authentication DN. It
does *not* mean "all entries I created." It also means, if you want to use
TLS certificates for authentication and to control access to some directory
entries, then the DN in the certificate must correspond to the DN of a
directory entry. Or you must use saslRegexp to map from the certificate DN to
the directory entry DN.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

<<attachment: winmail.dat>>