Am Thu, 12 Mar 2015 14:00:02 +0100 schrieb Hallvard Breien Furuseth <[email protected]>:
> On 12. mars 2015 13:03, Dieter Klünter wrote: > > rfc-4422 describes an EXTERNAL mechanism. Is there any means of > > defining and configuring an external authentication and > > authorization source, like an external sasl server? Or is this just > > confined to the client to provide an appropriate authorization > > string? > > EXTERNAL means the credentials are passed in another layer than SASL > (or LDAP): A TLS client certificate, or with ldapi:// (Unix domain > sockets) some OSes including Linux can get the user/group ID from the > socket. Try "ldapwhoami -H ldapi://". RFC 4422 describes a 'EXTERNAL mechanism allows a client to request the server to use credentials established by means external to the mechanism to authenticate the client.' > What you describe sounds to me more like stuff like Kerberos tickets. > These are passed inside a SASL mechanism (GSSAPI), after SASL on > the server side is configured to check them against a Kerberos server. It is a more bit complicated than Krb5 and GSSAPI. I'm in a erlang/OTP environment which provides an authorization server, called sasl server. I have no clue yet, what this sasl server provides. But there is a requirement that slapd accepts the authorization string, which should be mapped to a DN. Mapping seems to be not a problem. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
