[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user authentication by userCertificate

To: Armin Wenz <awenz@mtg.de>
Subject: Re: user authentication by userCertificate
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 26 Apr 2006 18:18:56 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <444F7167.9070701@mtg.de>
References: <444F7167.9070701@mtg.de>

Armin Wenz writes:
> is it possible to authenticate a user not by password but by
> userCertificate with version 2.3.x?

No.  However you can authenticate with certificates: The client can
send the certificate during TLS/SSL negotiaton, and afterward use
Bind:SASL/EXTERNAL to authenticate as the DN in that certificate.

Configure the server to verify client certificates with TLSVerifyClient,
TLSCACertificateFile, maybe TLSCRLCheck.  Or TLSCACertificatePath
instead of ...File; if so set up that directory with some magic OpenSSL
command.  Don't remember which one.

You may need to rewrite DNs from your certificates to the naming
structure of DNs in your directory with 'authz-regex' or 'sasl-regexp'.
On the other hand, with different names you can tell in access
statements which DNs come from certificates and which come from Simple
Bind etc.

Finally, the server will not necessarily require the DN in the
certificate to exist in the directory.  Haven't checked how OpenLDAP
behaves about that.  If it doesn't, I suppose you could use
  access ... by set ...
to look up the 'user' entry and verify that it exists, see
  http://www.openldap.org/faq/data/cache/1133.html

-- 
Hallvard

References:
- user authentication by userCertificate
  - From: Armin Wenz <awenz@mtg.de>

Prev by Date: Re: user authentication by userCertificate
Next by Date: Re: requesting clarification of slapd.conf-versus-slapd.d configuration
Index(es):
- Chronological
- Thread