[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL with URLs other than ldapi://


Well, actually, I am performing tests at the server itself, and my
ldap.conf file contains:

URI             ldaps://ldap.mydomain.com
BASE            dc=mydomain,dc=com
TLS_CACERT      /usr/share/ssl/certs/cacert.pem
TLS_CERT        /usr/share/ssl/certs/myhost.crt
TLS_KEY         /usr/share/ssl/certs/myhost.key
#TLS_REQCERT    never

where myhost.crt and myhost.key are the same files I am currently using at
server's setup (as parameters for TLSCertificateFile and
TLSCertificateKeyFile.  The CA certificate file is also the same).

Ever trying with SSL (ldaps://...), TLS (-Z - or ever -ZZ), SASL with
GSSAPI, etc, etc, the result is always the same: the "EXTERNAL" SASL
mechanism doesn't shows up :\

I'm using openldap 2.2.13 and Cyrus SASL 2.1.19 at a Fedora Core 3 Linux. 
My other test box is a FC1, with openldap 2.1.22 and SASL 2.1.15, and its
behavior is exactly the same :\

... searching the iNet, I have found some reports of installations in
which a single "ldapsearch -x -h localhost ..." was able to "magically"
list the "EXTERNAL" mechanism, but... I could not figure out what is the
difference between those and mine :\

Btw, does somebody have the "EXTERNAL" sasl mech. available via ldap:// or
ldaps:// ???

Thanks very much, folks!!


> On Thu, 10 Feb 2005, Jan-Piet Mens wrote:
>> On Thu Feb 10 2005 at 15:38:43 CET, Rodolfo Broco Manin wrote:
>>> This may be a silly question, but... how can I use SASL's "EXTERNAL"
>>> mechamism with OpenLDAP over network connections (ldap:// and ldaps://
>>> URLs)?  Here at my site I can see "supportedSASLMechanisms: EXTERNAL"
>>> only when connecting via a ldapi:// URL.
>> ...
>>> (It's not available using TLS or SSL)
>>> # ldapsearch -x -Z -H ldap://localhost -b "" -LLL -s base
>> Try forcing TLS with another -Z or using ldaps://localhost
>> $ ldapsearch -x -ZZ -H ldap://localhost -b "" -LLL -s base
>>                  ^
>> $ ldapsearch -x -H ldaps://localhost -b "" -LLL -s base
> You need to setup a client certificate.  I assume your server is properly
> configured for TLS.  See http://www.openldap.org/doc/admin22/tls.html for
> more.
> --
> Igor