On 04/22/17 02:58 +0800, John Mok wrote:
Hi, I am considering to use SASL + OpenLDAP + Cyrus IMAP with client authentication by X.509 certificate instead of Kerberos GSSAPI. Please point me where I can get the documentation how to setup SASL mechanism for X.509 client authentication.
libsasl supports certificate authentication by way of the EXTERNAL mechanism, which is included within the libsasl glue library. Cyrus IMAP and slapd, and other servers, are responsible for deriving the authc identity after a successful TLS client authentication. They do not do so in a consistent way. For Cyrus SASL documentation, see: https://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php https://cyrusimap.org/docs/cyrus-sasl/2.1.25/mechanisms.php sasl_setprop(3) Cyrus IMAP appears to make the authc identity equal to the CN contained within the client cert. See imap/tls.c in the imapd source. For slapd, see: http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL http://www.openldap.org/doc/admin24/sasl.html#Mapping Authentication Identities http://www.openldap.org/doc/admin24/tls.html http://www.openldap.org/faq/data/cache/185.html -- Dan White
