Re: client certificates -- howto?

[Jeff Warnica <jeffw@chebucto.ns.ca>]

Fair enough. And googling around with random combinations of 10 or so
keywords helped me out a bit. So its in the archive I found the
following especially usefull:

http://www.opengroup.org/messaging/G260/tech11.htm

Ive sent message to the openssl users list asking this... The 'openssl
req' command will ask for components of a DN and try to assemble it
itself, clearly however I already know the exact DN to specify. How can
I do this?

On Sat, 2003-09-20 at 19:22, Dieter Kluenter wrote:

> OK. Just a simple method to authenticate against openldap:
> 1. create user certificates with a DN matching the DN in the DIT
> 2. sign this certificates with your cacert
> 3. distribute cacert.pem to your hosts
> 4. create ~/.ldaprc files with TLS entries according to man ldap.conf
> 5. start authenticating, using sasl EXTERNAL mechanism and forcing TLS
> 
> dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
> SASL/EXTERNAL authentication started
> SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
> SASL SSF: 0
> dn:cn=dieter kluenter,ou=partner,o=avci,c=de
> 
> SASL username is extracted from the certificate.
> 
> -Dieter