[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access ... by certificate=...

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: access ... by certificate=...
From: Howard Chu <hyc@symas.com>
Date: Fri, 20 Apr 2007 18:57:04 -0700
Cc: openldap-devel@openldap.org
In-reply-to: <hbf.20070420ll82@bombur.uio.no>
References: <hbf.20070420ll82@bombur.uio.no>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a4pre) Gecko/20070409 SeaMonkey/1.5a

Hallvard B Furuseth wrote:

Sorry if I asked about this before and forgot it...

Could we add an 'access ... by' variant for the client's TLS
certificate, _without_ Bind:SASL/EXTERNAL?
(To the cert's DN, I expect, but I don't know much about
certificates.  Maybe there are other things to look at as well.)

That could be used to authenticate a service (an LDAP client)
rather than the user it Binds as, when the service asks the user
for password and Binds with his DN and password.

The simple way to do that is to grant access to the service's IP
address, but that's not always feasible, and gets hard to maintain.

This sounds like a special case of proxy authorization. Can't you just use that?

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: access ... by certificate=...
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- access ... by certificate=...
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: access ... by certificate=...
Next by Date: Re: access ... by certificate=...
Index(es):
- Chronological
- Thread