[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: web apps and client certificate authentication

To: Kurt@OpenLDAP.org (Kurt Zeilenga)
Subject: Re: web apps and client certificate authentication
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 11 Jan 2009 20:22:25 +0100
Cc: openldap-technical@OpenLDAP.org
In-reply-to: <DC660B5D-FD3F-4362-9962-E53728F3B9DD@OpenLDAP.org>
User-agent: MacSOUP/2.7 (unregistered for 723 days)

Kurt Zeilenga <Kurt@OpenLDAP.org> wrote:

> Why?  Generally, the web application is part of the service which  
> encompasses the web server and directory service.  They should already
> have an appropriate trust relationship.

When using plain password authentication, the web app can just hands the
DN and password to slapd, it does not need any special privilege. 

If the web app is entrusted with an authzTo: *, then a bug in it could
be used to get full directory access.

> > That is, having the web application
> > behaving as a kind of proxy, without any special privilege on the
> > directory. Is that possible? If it is, where should I start?
> Would require cooperation between the web server and the directory  
> server.  So nothing gained, IMO, except complexity.

This would be complexity in an unprivilegied piece of code, rather than
giving trust to an application. Both approaches have merits. In order to
really compare them, one need an idea of the complexity.

How would one implement that kind of "proxy certificate authentication"?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: web apps and client certificate authentication
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

References:
- Re: web apps and client certificate authentication
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

Prev by Date: Re: web apps and client certificate authentication
Next by Date: Re: web apps and client certificate authentication
Index(es):
- Chronological
- Thread