[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication of both proxy and client

To: Stig Venaas <Stig.Venaas@uninett.no>
Subject: Re: Authentication of both proxy and client
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 22 Oct 2001 21:58:43 +0200
Cc: openldap-software@OpenLDAP.org
Organization: stroeder.com
References: <20011022111335.A16711@sverresborg.uninett.no> <5.1.0.14.0.20011022092915.016fcb10@127.0.0.1> <20011022203219.A17474@sverresborg.uninett.no>

Stig Venaas wrote:
> 
> I would
> like to restrict who can act like gateways. The former combined with
> TLS (no SASL) and client certificate verification, satisfy my wishes
> if I create my own special CA to sign certificates for the gateways,
> and make only that CA known to the LDAP server.

Creating a special (sub-)CA for implementing the authorization
scheme of the gateway looks odd to me (maybe I misunderstood
something).

IMHO a better approach is to let the gateway admin decide which of
the certificate holders are allowed to access the gateway. If you're
free to define a schema the gateway could try to determine this from
the user entry. E.g. search for user entry by certificate's
fingerprint (user identification) and check a certain attribute in
the user entry (gateway authorization). Certificate matching rule
draft by David could be helpful here either if the certificates are
stored in the LDAP directory.

Note that 1. you should not use e-mail certs for strong
authentication and 2. that it might not make sense to store
authentication certs in the directory at all.

> If I could restrict
> simple bind based on contents of the TLS client certificate (the CN
> perhaps), I could use a CA that also issues certificates to others.

I tried something similar in the beginning with web2ldap. I tried to
derive the bind DN or at least a search template (for user
identification) from the certificate's subject DN. This whole thing
looked easy at the beginning but learning more about it I dropped
the support for this. Today I'm just restricting gateway use based
on client-certs by checking a simple regex for subject and issuer DN
string representation. (Stig, we can discuss that on Monday if you'd
like to.)

No SASL in the game so far. Therefore I'm also interested in
learning more about it.

Do I have to use SASL to authenticate the user at the gateway?
Is it possible to simply pass the client certificate's subject DN
(which string form?) in a SASL bind to the LDAP server to act like
this user?
How does the LDAP server map this certificate subject DN to the
user's entry DN?

Ciao, Michael.

Follow-Ups:
- Re: Authentication of both proxy and client
  - From: Stig Venaas <Stig.Venaas@uninett.no>

References:
- Authentication of both proxy and client
  - From: Stig Venaas <Stig.Venaas@uninett.no>
- Re: Authentication of both proxy and client
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Authentication of both proxy and client
  - From: Stig Venaas <Stig.Venaas@uninett.no>

Prev by Date: no such object - was RE: phantom entries
Next by Date: using peername on openldap 2.0.11
Index(es):
- Chronological
- Thread