Re: SASL X.509 authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 04/22/17 02:58 +0800, John Mok wrote:

I am considering to use SASL + OpenLDAP + Cyrus IMAP with client
authentication by X.509 certificate instead of Kerberos GSSAPI.

Please point me where I can get the documentation how to setup SASL
mechanism for X.509 client authentication.

libsasl supports certificate authentication by way of the EXTERNAL
mechanism, which is included within the libsasl glue library. Cyrus IMAP
and slapd, and other servers, are responsible for deriving the authc
identity after a successful TLS client authentication. They do not
do so in a consistent way.

For Cyrus SASL documentation, see:

Cyrus IMAP appears to make the authc identity equal to the CN contained
within the client cert. See imap/tls.c in the imapd source.

For slapd, see: Authentication Identities

Dan White

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux