Re: TLS client certificate pb

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

"Howard Chu" <hyc@highlandsun.com> writes:

[...]
>> Just write a saslRegexp to match your CN and you can use certificates
>> to authenticate. Here ist the output of my certificate
>> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--
>> ieter@marin:/usr/local/bin> ./ldapsearch -Y EXTERNAL -ZZ -b
>> "cn=connections,cn=monitor" -s base
>> SASL/EXTERNAL authentication started
>> SASL username: Email=dieter@xxxxx,CN=Dieter
>> Kluenter\2Cou=partner\2Cou=users\2Co=avci\2Cc=de,OU=ldapclient
> ,O=avci,L=Hamburg,ST=Germany,C=DE
>> SASL SSF: 0
>> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>
> I hope you realize that the DN in your certificate, as displayed above, is
> not quite valid. It appears that you entered the value "Dieter
> Kluenter,ou=partner,ou=users,o=avci,c=de" for your CN attribute.

Frankly, no I didn't :-(
I just misinterpreted RFC2459 which says a name has to be a
directorystring. 

> This is quite different from actually having a DN with those
> components present as RDNs. This certificate would be a problem for
> most PKI systems, as well as real X.500 servers, since LDAP DNs are
> reversed, relative to the X.500 data 
> structures.

Thanks to your remarks, I now changed my certificate, which now shows

dieter@marin:/usr/local/bin> ./ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

and best of all, I don't need a mapping to my entry by means of
saslRegexp anymore.

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com
http://www.schevolution.com/tour