[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP and SSL-client authentication?

To: "wun" <un@trustcenter.de>, "openldap software mailing list" <openldap-software@OpenLDAP.org>
Subject: RE: OpenLDAP and SSL-client authentication?
From: "Howard Chu" <hyc@highlandsun.com>
Date: Tue, 11 Sep 2001 03:19:46 -0700
Importance: Normal
In-reply-to: <3B9DCB4E.D352A296@trustcenter.de>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of wun

> Does OpenLDAP (compiled using the OpenSSL lib) support SSL-client
> authentication?

Yes

> If yes, since which release?

Looking through the CVS log, I think since about November 2000, or
the 2.0.7 release. That's when the first cut of SASL/EXTERNAL
authentication was rolled out of the development stream into a release.

> Has anybody successfully implemented the OpenLDAP server authenticating
> any LDAP
> client (such as the command-line ldapsearch; the Netscape Adressbook or
> the LDAP
> Browser/Editor version 2.8.1 by Jarek Gawor ; url >
> http://www.iit.edu/~gawojar/ldap/ ).

I have not used the SASL/EXTERNAL mechanism with any of these clients. I
tested with some custom/private code to do SSL-client authentication
before
the 2.0.7 code was released. My experience with the Netscape client has
been
pretty spotty as far as ldaps connections go. It took a lot of fiddling to
get Jarek's browser working with ldaps too, and I don't recall ever
setting
it up with a client certificate. The only thing I got working easily was
the command-line tools. For these clients, you just need to set the path
to
your certificate and private key in ~/.ldaprc:
	TLS_CERT /home/me/mycert.pem
	TLS_KEY  /home/me/mykey.pem

> Finally, how to configure the OpenLDAP server for SSL-client
> authentication (i.e.
> NOT only having an SSL-encrypted wire, but to enable exchanging
> server/client certificates
> for authentication purpose and signing messages using the respective
> private keys, thus verifying
> the identity of the respective parties.

The only supported method is to build OpenLDAP with SASL support. You
need to perform a SASL bind with the EXTERNAL mechanism on a SSL/TLS
session.
You may want to use the "TLSVerifyClient  1" option in slapd.conf to
require that all clients have a valid cert.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- OpenLDAP and SSL-client authentication?
  - From: wun <un@trustcenter.de>

Prev by Date: Re: Resources - ldap VERY slow
Next by Date: RE: writing a ssl(tls) client
Index(es):
- Chronological
- Thread