[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPS (LDAP over SSL) client authentication

Luke Howard wrote:
> What about doing a SASL bind with a mechanism other than EXTERNAL, over SSL?
> Can I use that to set an alternate authorization identity too?

Yes, at least in Netscape Directory Server.  Any Bind (except for
a few special cases) sets the subsequent authorization identity,
regardless of what happened during SSL session negotiation.

There are some relevant Internet Drafts:
<draft-ietf-ldapext-ldapv3-tls-02.txt> section 6
I tried to conform to these (actually previous versions of them),
when implementing LDAPS for Netscape.