[Bug 249881] Re: Hardy slapd server is not supporting sasl/external authentication

Mathias Gug mathiaz at ubuntu.com
Mon Aug 4 18:57:37 BST 2008

Section of the openldap admin guide states the following :

Note: The server must request a client certificate in order to use the
SASL EXTERNAL authentication mechanism with a TLS session. As such, a
non-default TLSVerifyClient setting must be configured before SASL
EXTERNAL authentication may be attempted, and the SASL EXTERNAL
mechanism will only be offered to the client if a valid client
certificate was received.

According to your slapd.conf file, you're using:

TLSVerifyClient try

which means that if your client doesn't send its certificate, the
connection proceeds anyway. And thus the EXTERNAL mechanism will not be

Try setting TLSVerifyClient to demand, so that the connection won't
proceed if the client doesn't send a certificate. That may be your
actual problem.

Hardy slapd server is not supporting sasl/external authentication
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list