[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS and client certificates



At 06:41 PM 1/11/01 +0800, Michael Simmons wrote:
>Section 7.1 of RFC 2829 mentions the use of client certificates to authernicate users.
>Specially where the client signs its own certificate with its private key. Perhap requesting a passphrase when this occurs.
>
>Does OpenLdap 2.0.7 support or plan to support this?

There is some additional code in HEAD which is designed
to support SASL/EXTERNAL w/ TLS/X.509.

>Is the Servers own Certificate used as a Trusted CA
>Can other CA's be used?

In general, the server would be configured to trust
certificates issues from multiple certificates.

>What is its relationship to SASL "EXTERNAL".

The authentication is left to the TLS layer. SASL EXTERNAL
just pulls up the TLS authentication for use in the
application space.

>Am I correct that SASL "PLAIN" and ANONYMOUS" are not used in Openldap (as per 8.0 of RFC2829).

OpenLDAP initializes Cyrus SASL with no-plain and no-anonymous for security
reasons outlined in RFC 2829.  This actually allows PLAIN to be used when
there is transport level protections in place (and SASL is aware of them).
This is consistent with both RFC2829, Section 4 and RFC2595, Section 6.
(Yes, this is somewhat counter to what section 8 says, this conflict will
be resolved when RFC 2829 is revised).

>ie DIGEST-MD5,CRAM-MD5,KERBROSE and EXTERNAL are the only options for SASL Mechanism

There are additional mechanisms to choose from including SRP, OTP, and GSSAPI.

>Openldap can not authernicate via PAM correct.

Not directly.  Cyrus SASL can use PAM for password verification in conjunction
with the PLAIN mechanism.

>Is the SASL library used to hash userPassword?

No.

>If I want to use SASL DIGEST-MD5 how do I choose SASL realm and SASL host?

sasl-host can generally be left unset, it will default to
your hostname.  However, in multiple-homed and/or virtual
hosting environments, you should set it to the hostname
which is associated the primary IP address of the service.

You can choose pretty much any string as a realm name.
I suggest your domain name in upper case.

Kurt