Re: SASL EXTERNAL with TLS Authentication

[Karsten Künne <kuenne@rentec.com>]

On Wednesday 06 March 2002 18:05, Howard Chu wrote:
| The support here is pretty limited in 2.0.x, and it doesn't look like this
| has
| any chance of working. It does work in the HEAD, and the 2.1alpha code
| should be OK as well. In particular, the SASL auth code in 2.0.x expects
| usernames returned from the SASL library to be simple names, not DNs. As
| such, it's impossible for it to be used with an X.509 cert.
|
| The alpha code supports a config file keyword
| "sasl-external-x509dn-convert" that will rewrite a cert's X.500-style DN
| into an LDAP-style DN. It also supports a "sasl-regexp" keyword for mapping
| arbitrary SASL names into usable DNs. One or both of these features is
| necessary for successfully using SASL EXTERNAL with TLS.
|

That's all true but if you don't want to wait for 2.1 you can apply the 
following small patch to 2.0.23 (unofficially):

--- ./servers/slapd/sasl.c.orig Thu Feb 14 16:17:45 2002
+++ ./servers/slapd/sasl.c      Thu Feb 14 16:18:35 2002
@@ -466,7 +466,7 @@

                        } else if ( username[0] == 'u' && username[1] == ':'
                                && username[2] != '\0'
-                               && strpbrk( &username[2], "+=,;\"\\ \t") == 
NULL )
+                               && strpbrk( &username[2], "+,;\"\t\\") == 
NULL )                        {
                                *edn = ch_malloc( sizeof( "uid= + realm=" )
                                        + strlen( &username[2] )


I got it working with that.

|   -- Howard Chu
|   Chief Architect, Symas Corp.       Director, Highland Sun
|   http://www.symas.com               http://highlandsun.com/hyc
|   Symas: Premier OpenSource Development and Support
|
| > -----Original Message-----
| > From: owner-openldap-software@OpenLDAP.org
| > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David H. Hawes
| > Sent: Wednesday, March 06, 2002 1:58 PM
| > To: OpenLDAP-software@OpenLDAP.org
| > Subject: SASL EXTERNAL with TLS Authentication
| >
| >
| > I have been trying for several days to get SASL EXTERNAL working with TLS
| > authentication (OpenLDAP 2.0.23 and Cyrus SASL 1.5.27).  I am
| > able to do SASL
| > binds with DIGEST-MD5 (so I know SASL works) and can use startTLS with
| > 'TLSVerifyClient 1' set in my slapd.conf (so I can verify my client certs
| > work).
| >
| > The relevant output I get from slapd when I run 'ldapsearch -h
| > myserver -b
| > 'dc=my-domain,dc=com' '(objectclass=*)' -ZZ -O none -Y EXTERNAL' is:
| > ...
| > do_sasl_bind: dn () mech EXTERNAL
| > SASL Authorize [conn=6]: "<cert dn here>" as "u:<cert dn
| > here>"
| > slap_sasl_bind: username="u:<cert dn here>" realm="" ssf=0
| > <== slap_sasl_bind: authorization disallowed
| > ...
| >
| > ldapsearch's output is:
| > ...
| > SASL/EXTERNAL authentication started
| > ldap_sasl_interactive_bind_s: Inappropriate authentication
| >         additional info: authorization disallowed
| > ...
| >
| > What am I missing to get the slap_sasl_bind to work?  And out of
| > curiosity
| > has anyone gotten this to work?  I've yet to find any success
| > stories in my
| > research.
| >
| > If and when I get this working, I hope to write a nice HOW-TO for
| > myself and
| > everyone else's benefit.
| >
| > Thank you!
| >
| > dave

-- 
Karsten.

"Things should be made as simple as possible, but not any simpler."
  -Albert Einstein