[Date Prev][Date Next] [Chronological] [Thread] [Top]

Support for extensible certificate mapping



We'd like to plug in an extensible certificate mapping function into
slapd, for clients that do SASL EXTERNAL binds over TLS.

The function requires both the certificate issuer and subject DNs, as
well as possibly the set of subjectAltNames. So it's not possible to
express the certificate mapping function as a SASL regex rule in the
current implementation (which just normalizes the subject DN).

It seems like overriding dnX509peerNormalize() would give us the most
flexibility. I tried this and it appears that internal searches (which
we would need to perform the mapping) don't work -- I can debug this
further of course, but would appreciate some input first as to whether
this is an appropriate hook. I would propose a native OpenLDAP API like:

int register_certificate_map_function(int (*fn)(void *ssl, struct berval *dn));

Another possibility would be to enable a mode where the EXTERNAL DN
was something like:

	subjectDN=%s,issuerDN=%s,cn=EXTERNAL,cn=auth

which could be processed by SASL regexp rules. The problem with this
approach is that it would need to be optional to not break existing
deployments, and it also doesn't give us access to subjectAltName
which would be desirable in our application.

-- Luke

--