how I use it. I looked around
somewhere that will
it?

SASL External HOWTO? Now that's a good one. Not covered in the admin
guide and I couldn't find much info on it. Luckily I found a few bits here
and there and stumbled into success with it.

Command line SASL, EXTERNAL mech setup:
1. Configure client and server certs (I guess you already have).
slapd.conf will contain TLS certificate directives as well as
'TLSVerifyClient demand'.
ldap.conf will contain 'TLS_Req_Cert demand' (default actually).
.ldaprc or ldaprc will contain client side certificate info.

2. Check TLS/SSL connection by calling ldapsearch using simple bind
(either ldaps:// or ldap:// '-ZZ'
check LDAP server output/logs for TLS handshake.

3. Run another client command to verify available SASL mechanisms
ldapsearch -x -s base '(objectclass=*)' -H ldap://<server> -ZZ
supportedSASLMechanisms
(that's what I used)

4. If everything is configured for client auth and TLS/SSL is used, then
EXTERNAL will be listed.
You can't install a piece of software to get it, client auth needs to
be config'd and TLS used.

5. Now you can run clients like this "ldapsearch -Y external -b
dc=myserver,cd=com '(cn=*)' "
It works if the client cert is accepted.
I get asked for a password. Hit return.
You can also use '-I' if you want.

6. Use ACLs to control access to directory.

I tried to get the SASL sample server working first (because that's always
the first step for anything SASL!), but I couldn't.

If you need to use SASL's EXTERNAL mechanism from within an application,
use ldap_sasl_interactive_bind_s() and callback code similar to
<openldap>/libraries/liblutil/sasl.c. That's a whole 'nother set of emails
...

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
you grow old because you stop playing."

Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: ***@us.ibm.com

Hello,
You have to create X.509 certificates for all your users. For this to
work properly, you might need to change openssl.conf to fit into your
directory scheme, that is probabely additional ou's c', o's.

To make use of sasl external mechanism you have to start tls, i.e.
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
***@marin:~> ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

SASL username is read from the certificate and than parsed against an
entry, so make sure that the distinguished names are equal.

-Dieter

I probably have a simple setup for my slapd, but the DN of the certificate
does not have to parsed to match an entry in my directory. If the client
cert can be verified by the server, client is authenticated. If a bad
client cert is used, client is not authenticated. I didn't even have a
sasl-regexp in my slapd.conf to get it to work. However, Kurt Zeilenga did
suggest to me that I would need to do some mapping of the dn's.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
you grow old because you stop playing."

Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: ***@us.ibm.com

Hmm, so let me restate my requirement:
Requirement:

Use OpenLDAP with TLS, with server supplying digital certificate and "demand"ing client certificate. Based on client certificate, bind the client application to an entry.

Like Howard and Kent say, my LDAP client application does get authenticated to the server. And I don't need to involve SASL at all. However, I have the following default access control mechanism:

access to *
by self write
by users read
by anonymous auth

The way I read the above policy is that if I created an entry, I can write to it, others can only read. So, if one client application created, say, three entries of a particular objectClass, only that application can modify it.

Doesn't the client application need to bind itself to the server in order to do just that? Or are you guys saying that just authenticating itself to the server is sufficient enough to fulfill the above access control policy? I am using JNDI to access LDAP. May be JNDI requires me to bind when LDAP doesn't really.

Consider that I have a new objectClass defined, called A, that has a name attribute. If one client app adds three As and another four, I want both of them to have read access to all seven, but first one with write access to first three and the second one with write access to last four.

Both the client apps have a dig cert each that server can verify. Is that good enough to fulfill the access control policy?

Boy, do I have this concept completely wrong?

Thanks,
-Milind