[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tlsverifyclient security implications

To: josh.mullis@cox.com (Josh Mullis), openldap-software@openldap.org
Subject: Re: tlsverifyclient security implications
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 23 Aug 2009 08:59:05 +0200
In-reply-to: <1251001812.15356.33.camel@localhost.localdomain>
User-agent: MacSOUP/2.7 (unregistered for 946 days)

Josh Mullis <josh.mullis@cox.com> wrote:

> What are the security implications concerning the following setting in
> slapd.conf:
> tlsverifyclient allow

As far as I understand, if the client sends a certificate, then slapd
can use it to map client to a LDAP DN, like this:
authz-regexp    cn=foo uid=foo,dc=example,dc=net

If the client does not send a certificate, it can still connect.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

References:
- tlsverifyclient security implications
  - From: Josh Mullis <josh.mullis@cox.com>

Prev by Date: tlsverifyclient security implications
Next by Date: Re: tlsverifyclient security implications
Index(es):
- Chronological
- Thread