On Sun, Feb 22, 2015 at 06:39:51PM +0100, Michael Ströder wrote:
> Jakub Hrozek wrote:
>> On Wed, Feb 11, 2015 at 06:15:47PM +0100, Jakub Hrozek wrote:
>>> On Wed, Feb 11, 2015 at 06:05:49PM +0100, Michael Ströder wrote:
>>>> Jakub Hrozek wrote:
>>>>> On Mon, Aug 13, 2012 at 09:36:44PM +0200, Michael Ströder wrote:
>>>>>> Is it possible to use SASL/EXTERNAL when connecting to a LDAP
server with
>>>>>> StartTLS or LDAPS using client certs?
>>>>>>
>>>>>> In a project they have certs in all systems anyway (because of
using puppet)
>>>>>> and I'd like to let the sssd instances on all the systems
authenticate to the
>>>>>> LDAP server to restrict visibility of LDAP entries by ACL.
I'd like to avoid
>>>>>> having to set/configure passwords for each system's sssd.
>>>>>>
>>>>> Not currently, there is a ticket that is tracking adding the
support:
>>>>>
https://fedorahosted.org/sssd/ticket/561
>>>>
>>>> Well, the years pass by...
>>>>
>>>> Any chance that this is ever implemented?
>>>
>>> Patches are very much welcome. This might be a good starting point:
>>>
https://fedorahosted.org/sssd/wiki/DevelTutorials
>>
>> Sorry, this didn't sound as I intended.
>>
>> We would very much like to fix all the bugs and RFEs, but we simply only
>> have limited capacity, sorry...the most straightforward way to fix tickets
>> forward is to provide a patch or work with us on the patch..
>
> Strange enough it seems to work in 1.11+. :-)
> I did not test it before sending my last message. I had just looked at the
> ticket status.
>
> Now the question is whether it is an officially supported feature or whether
> it might disappear later.
>
I haven't tested this case at all, I just did a 2-minute git grep
through the code, but we still only support GSSAPI as the only SASL
mechanism.
Did you check the client actually authenticates (as opposed to running
unencrypted or falling back to defaults) ?
Funny. It really works! (tested again)
With EXTERNAL you don't have to do anything special in your code except not
filtering out EXTERNAL being used as SASL mech because libldap will do
everything for you.
Ciao, Michael.