[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule match if client certificate was used?

Subject: Re: ACL rule match if client certificate was used?
From: David Hawes <dhawes@vt.edu>
Date: Tue, 05 Jun 2012 17:39:03 -0400
Cc: openldap-technical@openldap.org
In-reply-to: <4FCE4522.4050102@stormcloud9.net>
References: <4FCE4522.4050102@stormcloud9.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

On 2012-06-05 13:42, Patrick Hemmer wrote:
> Is there any way to create an ACL rule which will match if a client
> certificate was used on the connection or not?
> I'd like to do an ACL such as
> 
> to attrs=userPassword
> by peername.ip="1.2.3.0%255.255.255.0" auth
> by client_ssf="64" auth
> 
> Also set olcTLSVerifyClient=try
> 
> This will let our internal network authenticate against ldap without
> needing a client cert, but anyone outside our internal network must have
> one. We would then use our own CA to create certificates for all the
> clients and tell OpenLDAP to trust only that CA.
> Obviously client_ssf doesnt exist, but is there another way of
> accomplishing this goal?

I wrote a proof of concept dynacl that essentially does this. The ACL
looked something like:

access to attrs=userPassword
    by dynacl/clientAuth auth

All the dynacl does is determine if there is an authid in the SASL
context. If so, a client certificate was used and access can be granted.

Examples of dynacls can be found in contrib/slapd-modules/acl.

Follow-Ups:
- Re: ACL rule match if client certificate was used?
  - From: Patrick Hemmer <openldap@stormcloud9.net>

References:
- ACL rule match if client certificate was used?
  - From: Patrick Hemmer <openldap@stormcloud9.net>

Prev by Date: Re: ACL rule match if client certificate was used?
Next by Date: Re: ACL rule match if client certificate was used?
Index(es):
- Chronological
- Thread