[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SUMMARY Re: client certificates -- howto?

To: "'Jeff Warnica'" <jeffw@chebucto.ns.ca>, "'OpenLdap Software List'" <openldap-software@OpenLDAP.org>
Subject: RE: SUMMARY Re: client certificates -- howto?
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 21 Sep 2003 14:24:57 -0700
Importance: Normal
In-reply-to: <1064173476.24610.139.camel@ron>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jeff Warnica

> After finishing up the summary I have a few questions:
>
> 1) Why isnt ldapwhoami converting "0.9.2342.19200300.100.1.1" to "uid"?

The OpenSSL library doesn't automatically read openssl.cnf by default. On the
client side neither the OpenSSL nor OpenLDAP library know what attribute
corresponds to the given OID. (The OpenSSL library has a handful of OIDs
hardcoded, and uid isn't one of them.) The slapd server maps a certificate DN
using its own schema, regardless of the schema that the OpenSSL library knows
about. That's why this all works even though the client doesn't have enough
schema knowledge.

> 2) Why is the SSF 0?

SASL SSF tells how much security the SASL library has added to the session.
When using the EXTERNAL mech, the SASL library is acting only as a passthru
layer and does no security operations of its own. The TLS SSF is a separate
value, and apparently the client doesn't report it.

> 3) Is there a .ldaprc directive to use the sasl EXTERNAL mech all the
> time?

There is a keyword for this purpose, but it in fact does nothing at the
moment. There's a bug filed in ITS about this. (ITS#2717). Looks like a loose
end that was never caught.

I note that your cert DN really ought to match your LDAP DN. SASL regexp
mapping will make it work for slapd but if you ever want to use the cert for
anything else, like signing/encrypting email, a cert DN that consists only of
"uid=foo" is going to cause headaches.

And as I mentioned before, nothing in OpenLDAP requires the cert to be stored
in the directory before it can be used. The OpenSSL library only uses certs
stored in the filesystem.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> This is a summary of how I created a working client certificate. I
> already had server certs working - and this requred setting
> up a CA for
> myself. My directory is setup such that 'uid' is used in the DN. If
> yours isnt, I doubt that this will work for you:
>
> I first created a minimal openssl configuration file to teach openssl
> about the concept of 'uid':
>
> >>>>>>>>>>>>>>>>
> oid_section             = new_oids
>
> [ new_oids ]
> uid=0.9.2342.19200300.100.1.1
> [ req ]
> default_bits                    = 1024
> default_keyfile                 = user.key
> distinguished_name              = req_distinguished_name
> string_mask                     = nombstr
> req_extensions                  = v3_req
> [ req_distinguished_name ]
> uid                             = user id
> uid_max                         = 20
> [ v3_req ]
> nsCertType                      = client,email
> basicConstraints                = critical,CA:false
> <<<<<<<<<<<<<<<<<
> (it is likely that not all of that is necessary)
>
> I called it 'user-cert.conf'
>
> I generated the private key:
>
> $ openssl genrsa -out USERNAME.key 1024
>
> and then created a 'certificate signing request'
>
> $ openssl req -new -config user-cert.conf -key USERNAME.key \
> 	-out USERNAME.csr
> (all one line)
>
> (how to set up a CA is actualy documented elsewhere)
>
> Now, in the role of the Certificate Authority God I had to make some
> changes to the 'openssl.cnf' file:
> - in the "[ new_oids ]" section added the line:
> uid=0.9.2342.19200300.100.1.1
> - in both the policy_match and policy_anything sections I change
>    all the existing lies to 'optional' and added:
> uid                     = supplied
> - processed the request with the following command:
> # openssl ca -config openssl.cnf -out ~USERNAME/certs/USERNAME.crt \
> 	-infiles ~USERNAME/certs/USERNAME.csr
>
> I then returned to being a mear mortal to continue.
>
> - convert the .crt format certificate to something that
> openldap likes:
>
> $ openssl x509 -inform PEM -outform DER -in USERNAME.crt \
> 	-out USERNAME.crt.der
>
> I created a minimal ldif file to update my LDAP user object:
> >>>>>>
> dn: uid=USERNAME,ou=staff,ou=people,o=chebucto,c=ca
> changetype: modify
> replace: userCertificate;binary
> userCertificate;binary:< file:///home/USERNAME/certs/USERNAME.crt.der
> <<<<<<<<
>
> - ran the update:
>
> $ ldapmodify -Z -f ldif
>
> The only change I had to make to slapd.conf were to include the
> following lines :
>
> >>>>
> TLSVerifyClient try
>
> sasl-regexp
>         uid=(.*)
>         ldap:///o=chebucto,c=ca??sub?(uid=$1)
> >>>
>
> restarted slapd for these to take effect.
>
> I updated my ~/.ldaprc to setup the keys/cert pair so I can
> actualy use
> this... Added the lines:
>
> >>>>>>
> TLS_REQCERT demand
> TLS_CERT /home/USERNAME/certs/USERNAME.crt
> TLS_KEY  /home/USERNAME/certs/USERNAME.key
> >>>>>
>
> And sucuess:
>
> $ ldapwhoami -Y EXTERNAL -Z
> SASL/EXTERNAL authentication started
> SASL username: 0.9.2342.19200300.100.1.1=jeffw
> SASL SSF: 0
> dn:uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca
>
> {end howto}
>
>

References:
- SUMMARY Re: client certificates -- howto?
  - From: Jeff Warnica <jeffw@chebucto.ns.ca>

Prev by Date: Re: OpenLDAP on my Mac
Next by Date: Re: SUMMARY Re: client certificates -- howto?
Index(es):
- Chronological
- Thread