[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL with URLs other than ldapi://

On Thu, 10 Feb 2005 rodolfo@ime.unicamp.br wrote:


Well, actually, I am performing tests at the server itself, and my
ldap.conf file contains:

URI             ldaps://ldap.mydomain.com
BASE            dc=mydomain,dc=com
TLS_CACERT      /usr/share/ssl/certs/cacert.pem
TLS_CERT        /usr/share/ssl/certs/myhost.crt
TLS_KEY         /usr/share/ssl/certs/myhost.key

You cannot specify TLS_(KEY|CERT) in ldap.conf. These are user-only options (.ldaprc). See man ldap.conf.

#TLS_REQCERT    never

where myhost.crt and myhost.key are the same files I am currently using at
server's setup (as parameters for TLSCertificateFile and
TLSCertificateKeyFile.  The CA certificate file is also the same).

A client certificate more then likely is going to be different from the server certificate. Do you have your cert DN in your directory or have you mapped the cert DN into LDAP DN?

Ever trying with SSL (ldaps://...), TLS (-Z - or ever -ZZ), SASL with GSSAPI, etc, etc, the result is always the same: the "EXTERNAL" SASL mechanism doesn't shows up :\

I'm using openldap 2.2.13 and Cyrus SASL 2.1.19 at a Fedora Core 3 Linux.
My other test box is a FC1, with openldap 2.1.22 and SASL 2.1.15, and its
behavior is exactly the same :\

... searching the iNet, I have found some reports of installations in
which a single "ldapsearch -x -h localhost ..." was able to "magically"
list the "EXTERNAL" mechanism, but... I could not figure out what is the
difference between those and mine :\

Btw, does somebody have the "EXTERNAL" sasl mech. available via ldap:// or
ldaps:// ???

I have it working. This will only work for ldaps://. SASL EXTERNAL uses TLS for authentication among other things. SASL EXTERNAL is also available over ldapi.