SASL X.509 authentication

Dan White dwhite at olp.net
Fri Apr 21 15:32:08 EDT 2017


On 04/22/17 02:58 +0800, John Mok wrote:
>Hi,
>
>I am considering to use SASL + OpenLDAP + Cyrus IMAP with client
>authentication by X.509 certificate instead of Kerberos GSSAPI.
>
>Please point me where I can get the documentation how to setup SASL
>mechanism for X.509 client authentication.

libsasl supports certificate authentication by way of the EXTERNAL
mechanism, which is included within the libsasl glue library. Cyrus IMAP
and slapd, and other servers, are responsible for deriving the authc
identity after a successful TLS client authentication. They do not
do so in a consistent way.

For Cyrus SASL documentation, see:

https://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php
https://cyrusimap.org/docs/cyrus-sasl/2.1.25/mechanisms.php
sasl_setprop(3)

Cyrus IMAP appears to make the authc identity equal to the CN contained
within the client cert. See imap/tls.c in the imapd source.

For slapd, see:

http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL
http://www.openldap.org/doc/admin24/sasl.html#Mapping Authentication Identities
http://www.openldap.org/doc/admin24/tls.html
http://www.openldap.org/faq/data/cache/185.html

-- 
Dan White


More information about the Cyrus-sasl mailing list