SASL external with TLS client certs

[thernstig]

New user of this great lib. I've read the issues and docs and am pretty sure this is not supported, but wanted to check anyway.

I need to use LDAP (as a client) over ldaps:// where the tlsOptions contain a key and cert for TLS client authentication. I.e. the LDAP server (the peer) will verify my LDAP client via TLS client authentication.

But I want this TLS client auth to be used with the "SASL EXTERNAL mechanism" (page 29 in https://docs.ldap.com/specs/rfc4422.txt). As far as I can understand, this is something I can currently achieve with ldapsearch by supplying the -Y EXTERNAL.

So with all that in mind, since ldapjs already supports TLS using client cert/key, is it possible for it to use -Y EXTERNAL so that they are also used as the SASL mechanism "EXTERNAL"?

[jsumners]

We use the standards TLS socket from Node core. If that doesn't support what you are asking for, then we do not support it.

[thernstig]

Is there a plan to support the above scenario? I.e. SALS with the mechanism "EXTERNAL" set?

[jsumners]

If you'd like to send a pull request to implement such a feature, sure. Remember to add unit tests.

[thernstig]

I could possibly do it, or some other hero who steps in. Could you give a pointer on where I would add that feature?

In ldapsearch it is quite simple with the -Y EXTERNAL flag but I assume it is not as straight-forward here.

[jsumners]

That would be part of implementing the feature -- determining how to implement it.

[jsumners]

👋

On February 22, 2023, we released version 3 of this library. As a result, we are closing this issue/pull request.

Please see issue #839 for more information, including how to proceed if you feel this closure is in error.