This one of a series of a messages describing new features in Isode R14.4, scheduled to ship in April 2009. You can see all of the messages on this blog relating to R14.4 by clicking on this link
R14.4 adds considerable flexibility in strong authentication configuration for Sodium and Sodium Sync. This is of particular importance for Sodium Sync, which may need to connect with strong authentication (e.g., using LDAPS) to a server with a strong authentication configuration that is quite different to the local one.
Strong Authentication can be used with X.500 DAP, LDAPS (the deprecated, but widely used direct mapping of LDAP onto TLS), and with LDAP. Strong authentication with LDAP (not using LDAPS) requires use of TLS, using the START-TLS option. LDAP Bind profiles can be configured to use TLS, with either strong authentication or other methods. The signing part of strong authentication simply makes use of a configured Secure Identity to sign the message, which will include client's Directory name as the X.509 certificate's subject name.
Server verification requires checking of the X.509 Certificate associated with the server, which will be supplied by the server in the bind. A trust anchor (Certificate) will be provided as part of the Secure Identity of the client, and for a local server this will usually be appropriate for server verification. Additional verification parameters, such as use of CRL checking can be configured as part of the bind profile.
Where the configured trust anchor is not appropriate, the certificate provided by the server will be presented to the user. Sodium checks that the server certificate contains information that correctly identifies the server, using the certificate's SubjectName and (for LDAP), DNS Name and IP address
SubjectAltName values. Any inconsistencies are flagged to the user. The user may accept the certificate for one connection only or configure the certificate as "trusted" in the bind profile. This provides a secure and convenient mechanism to configure trust with remote servers.
The following screenshots show:
- What happens if you ask Sodium to do a "Strong" bind to an LDAP URL. In this case, Sodium uses SASL EXTERNAL, which implies "startTLS" (so the box is checked and can't be turned off), and allows you to choose an identity to use:
- What happens if you ask Sodium to do a "Simple" bind to an LDAP URL. In this case, the user has requested startTLS. I.e. it'll connect, startTLS, then do a simple bind. In this case no identity is used, but any server certificate will be checked against the user's trusted certificates.
- The "trusted certificates" associated with a bind profile.
- The dialog that is displayed if you do a bind over LDAP with TLS (either LDAPS or LDAP+startTLS) and the server sends back a certificate which isn't trusted and (in this case) has failed the server id check.