It can be, see this:
http://www.openldap.org/doc/admin23/tls.html#TLS%20Certificates
TLSVerifyClient { never | allow | try | demand } (in slapd.conf)
Note: The server must request a client certificate in order to use the SASL
EXTERNAL authentication mechanism with a TLS session. As such, a non-default
TLSVerifyClient setting must be configured before SASL EXTERNAL authentication
may be attempted, and the SASL EXTERNAL mechanism will only be offered to the
client if a valid client certificate was received.
There is still client config work youll have to do to get the cli tools to send
the cert (the link has those conf file directives you need). I don't know what
you have in you slapd.conf, however you will want to map you 509 dn's to ldap
dn's if the cert is being used to auth a specific dn in the tree (this is one
config option, others may have diff ideas).
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 27, 2007 12:35 PM
To: [email protected]
Subject: RE: Can't make SLES 9 OpenLDAP work with TLS/SSL
[sorry for the long post; I'm leaving the original posting in tact to provide
context]
Thank you very much for the reply. I ran the command you supplied, and
received (in part):
supportedLDAPVersion: 3
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
I don't see 'external', so am I correct in assuming TLS/SSL can not be used?
Thanks
tl
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chapman, Kyle
Sent: Tuesday, March 27, 2007 11:43 AM
To: [email protected]
Subject: RE: Can't make SLES 9 OpenLDAP work with TLS/SSL
im guessing it's a typo with your sasl search, -x enables simple auth. Try
this:
Ldapsearch -x -H ldap://<fqdn> -Z -s base -b "" "+"
You should get a listing of supported sasl mechs
supportedLDAPVersion: 3
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
Etc...
External is cert based so you also may need to configure ldap.conf with the
location of your client based cert if you are doing mutual cert auth as well
(.ldaprc could be used as well).
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 27, 2007 10:17 AM
To: [email protected]
Subject: Can't make SLES 9 OpenLDAP work with TLS/SSL
[I posted this to the Novell novell.support.sles.configure-administer
discussion group, but have not received any response. As I have an end-of-week
deadline to get this working, I'm re-posting it to this mailing list, with
apologies.]
Hi
I'm trying to use the SLES 9 SP3 OpenLDAP server with TLS. I've read the LDAP
chapter (Chapter 21) of the 'SuSE Linux Enterprise Server 9 Administration and
Installation Guide', as well as much of "OpenLDAP Software 2.3 Administrator's
Guide". I've used the YaST LDAP Server Configuration utility, and have enabled
TLS support.
When I run ldapsearch with simple authentication, the command does return the
request output:
# ldapsearch -x -b dc=backup
But then I run the command in the default SASL mode, I get:
# ldapsearch -x -b dc=backup
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-13): user not found: no secret in database #
I see two problems:
1) DIGEST-MD5 is being used, and believe I want EXTERNAL (which, I think, calls
TLS) to be used. I see that /usr/lib/sasl2/slapd.conf contains "mech_list:
gssapi digest-md5 cram-md5". I don't see 'external'
in the list. Should I just add it? If so, why wasn't this done by YaST
automatically?
2) the error message contains, "user not found: no secret in database".
What users is being referred to, and what/where is this database?
Finally, I've noted what could be a bug. The sample applications
(sample_client and sample_server) are not present in the SLES 9 'cyrus- sasl'
package, but they are present in the SLES 10 'cyrus-sasl' package.
If this is documented somewhere, please point me to it. I sure don't find what
I need in the SLES documentation.
Thanks for the help!
tl
Terry Lemons
Backup Platforms Group
EMC²
where information lives
4400 Computer Drive, MS D239
Westboro MA 01580
Phone: 508 898 7312
Email: [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
NOTICE: This E-mail may contain confidential information. If you are not the
addressee or the intended recipient please do not read this E-mail and please
immediately delete this e-mail message and any attachments from your
workstation or network mail system. If you are the addressee or the intended
recipient and you save or print a copy of this E-mail, please place it in an
appropriate file, depending on whether confidential information is contained in
the message.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
