Jakub Hrozek wrote:
On Fri, Mar 06, 2015 at 08:26:29PM +0100, Michael Ströder wrote:
> Funny. It really works! (tested again)
> With EXTERNAL you don't have to do anything special in your code except not
> filtering out EXTERNAL being used as SASL mech because libldap will do
> everything for you.
Can you send me the logs for examination, please?
Do you mean the sssd logs?
Which log level would you like to see?
The way I read the logs, only GSSAPI should be supported..so needless
say I'm a bit suprised.
The setup would not work if SASL bind EXTERNAL is not sent by sssd. I can see
in the OpenLDAP server's log that the authc-DN (cert subject DN) is correctly
rewritten to the accompanying LDAP authz-DN which definitely wouldn't be the
case for non-SASL/EXTERNAL bind.
The authz-DN-mapping in OpenLDAP's config:
See the sssd.conf attached.