Philip Guenther <[email protected]> writes: > On Mon, 28 Sep 2009, Dieter Kluenter wrote: >> after updating to openldap-2.4.18, tls enabled sasl external mechanism >> seems to be disabled, but it is still enabled via ldapi:// > ... >> Is this a bug, or has something changed which I haven't noticed? > > Hard to say whether this is a change when you don't say what version you > updated from... > > The SASL EXTERNAL mechanism is only availible to ldap or ldaps connections > if > 1) the server requests a certificate (TLSVerifyClient option is set to > something other than "never"), > 2) the client provides a certificate (TLS_CERT and TLS_KEY settings are > used), AND > 3) the server can verify the client's cert (the cert is under a CA > available to slapd via TLSCACertificateFile or TLSCACertificatePath > and passes the various validity checks, etc) > > Do those options all still look correct in your configs and are the CAs > still where you expect? Did you switch from building against OpenSSL to > GNUtls or make any other build-time configuration changes?
The update was from 2.4.17 to 2.4.18 build with openssl. ,----[ ldaprc ] | BASE o=avci,c=de | TLS_CACERT /home/dieter/certs/avciCA.pem | TLS_CERT /home/dieter/certs/dkluenter.pem | TLS_KEY /home/dieter/certs/dkluenter-key.pem | TLS_CIPHER_SUITE HIGH | TLS_REQCERT demand `---- ,----[ cn=config.ldif ] | olcTLSCACertificateFile: /etc/openldap/certs/avciCA.pem | olcTLSCertificateFile: /etc/openldap/certs/magenta.pem | olcTLSCertificateKeyFile: /etc/openldap/certs/magenta-key.pem | olcTLSCipherSuite: HIGH:MEDIUM | olcTLSVerifyClient: demand `---- -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
