Philip Guenther guenther+ldapsoft@sendmail.com writes:
On Mon, 28 Sep 2009, Dieter Kluenter wrote:
after updating to openldap-2.4.18, tls enabled sasl external mechanism seems to be disabled, but it is still enabled via ldapi://
...
Is this a bug, or has something changed which I haven't noticed?
Hard to say whether this is a change when you don't say what version you updated from...
The SASL EXTERNAL mechanism is only availible to ldap or ldaps connections if
- the server requests a certificate (TLSVerifyClient option is set to something other than "never"),
- the client provides a certificate (TLS_CERT and TLS_KEY settings are used), AND
- the server can verify the client's cert (the cert is under a CA available to slapd via TLSCACertificateFile or TLSCACertificatePath and passes the various validity checks, etc)
Do those options all still look correct in your configs and are the CAs still where you expect? Did you switch from building against OpenSSL to GNUtls or make any other build-time configuration changes?
The update was from 2.4.17 to 2.4.18 build with openssl.
,----[ ldaprc ] | BASE o=avci,c=de | TLS_CACERT /home/dieter/certs/avciCA.pem | TLS_CERT /home/dieter/certs/dkluenter.pem | TLS_KEY /home/dieter/certs/dkluenter-key.pem | TLS_CIPHER_SUITE HIGH | TLS_REQCERT demand `----
,----[ cn=config.ldif ] | olcTLSCACertificateFile: /etc/openldap/certs/avciCA.pem | olcTLSCertificateFile: /etc/openldap/certs/magenta.pem | olcTLSCertificateKeyFile: /etc/openldap/certs/magenta-key.pem | olcTLSCipherSuite: HIGH:MEDIUM | olcTLSVerifyClient: demand `----
-Dieter