[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preliminary TLS/SSL success

To: Julio Sánchez Fernández <j_sanchez@stl.es>
Subject: Re: Preliminary TLS/SSL success
From: John Kristian <kristian@netscape.com>
Date: Fri, 30 Jul 1999 13:26:18 -0700
Cc: jsanchez@OpenLDAP.org, bart@OpenLDAP.org, openldap-devel@OpenLDAP.org
Organization: The Netscape | Sun Alliance
References: <378F685D.BF5C294D@OpenLDAP.Org> <37936103.142C3D29@netscape.com> <379427DC.C24C48F4@stl.es> <379DF9AA.E52EFA5@netscape.com> <37A15C7C.209B047E@stl.es>

Julio Sánchez Fernández wrote:

> ... I am still wondering about how to map data in the certificates to DNs.

It's a complex problem.

> For certificates granted by public commercial CAs, a direct mapping of those
> names into directory DNs may result impractical.

It's totally impractical, in my experience.

> On the other hand, approaches based on searching in the directory, limit
> severely the prospects of allowing granting of privileges in the directory
> to identities strongly verified but that correspond to DNs that do not
> reside in this particular directory.  For instance, we are part of a large
> organization composed of several related, but legally and organizationally
> different, entities.  We want to have controlled access from one part of the
> organization to the directories in other parts.  That is, I want to believe
> the certificates granted at some other place and grant those identities
> access to my directory, but those subjects are not in my directory and I
> don't want to make a search against their directory just to accept the bind.

Why not?  It has drawbacks, of course, but it has advantages, too.  I wouldn't
reject it instantly.

Two other reasonable alternatives are:

- Search your own directory, to find an entry (probably created for this
purpose) whose DN will be the client's authorization identity.  Perhaps the
client's authentication identity must match this entry; for example, the
client's certificate must be equal to a userCertificate;binary attribute of
the entry.

- Extend your access control mechanism, to support an authorization identity
that is not the DN of a local directory entry.  Netscape Directory Server
supports this; it's configured by allowing access to the members of a
groupOfCertificates.  This mechanism is designed to support a security system
in which a client's certificate's subject DN is essentially a capability
list.  Access is allowed if that list contains certain name/value pairs, which
are stated in a memberCertificateDescription attribute.  For details, see
http://home.netscape.com/eng/server/directory/schema/oc_dir21.htm#1302288
http://home.netscape.com/eng/server/directory/schema/attribua.htm#1736745

References:
- [Fwd: Preliminary TLS/SSL success]
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Preliminary TLS/SSL success
  - From: John Kristian <kristian@netscape.com>
- Re: Preliminary TLS/SSL success
  - From: Julio Sánchez Fernández <j_sanchez@stl.es>
- Re: Preliminary TLS/SSL success
  - From: John Kristian <kristian@netscape.com>
- Re: Preliminary TLS/SSL success
  - From: Julio Sánchez Fernández <j_sanchez@stl.es>

Prev by Date: Re: Preliminary TLS/SSL success
Next by Date: ldap_modify on OPENLDAP_REL_ENG_1_2
Index(es):
- Chronological
- Thread