[Date Prev][Date Next]
Re: SASL Mech EXTERNAL disabled?
Philip Guenther <firstname.lastname@example.org> writes:
> On Mon, 28 Sep 2009, Dieter Kluenter wrote:
>> after updating to openldap-2.4.18, tls enabled sasl external mechanism
>> seems to be disabled, but it is still enabled via ldapi://
>> Is this a bug, or has something changed which I haven't noticed?
> Hard to say whether this is a change when you don't say what version you
> updated from...
> The SASL EXTERNAL mechanism is only availible to ldap or ldaps connections
> 1) the server requests a certificate (TLSVerifyClient option is set to
> something other than "never"),
> 2) the client provides a certificate (TLS_CERT and TLS_KEY settings are
> used), AND
> 3) the server can verify the client's cert (the cert is under a CA
> available to slapd via TLSCACertificateFile or TLSCACertificatePath
> and passes the various validity checks, etc)
> Do those options all still look correct in your configs and are the CAs
> still where you expect? Did you switch from building against OpenSSL to
> GNUtls or make any other build-time configuration changes?
The update was from 2.4.17 to 2.4.18 build with openssl.
,----[ ldaprc ]
| BASE o=avci,c=de
| TLS_CACERT /home/dieter/certs/avciCA.pem
| TLS_CERT /home/dieter/certs/dkluenter.pem
| TLS_KEY /home/dieter/certs/dkluenter-key.pem
| TLS_CIPHER_SUITE HIGH
| TLS_REQCERT demand
,----[ cn=config.ldif ]
| olcTLSCACertificateFile: /etc/openldap/certs/avciCA.pem
| olcTLSCertificateFile: /etc/openldap/certs/magenta.pem
| olcTLSCertificateKeyFile: /etc/openldap/certs/magenta-key.pem
| olcTLSCipherSuite: HIGH:MEDIUM
| olcTLSVerifyClient: demand
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6