Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

[Stefan Scheidewig <sese@mms-dresden.de>]

Looks promising. For instance the function PK11_FindKeyByDERCert in 
tls_m.c . I will try it with this one.

Am 24.06.2013 18:26, schrieb Michael Ströder:
> Stefan Scheidewig wrote:
> > After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11
> > URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the
> > ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM
> > encoded file (see function tlsg_ctx_init in tls_g.c) and a connection
> > initialization fails trying to read the PKCS#11 URI from the local file system.
> >
> > So currently there seems to be no way to configure the OpenLDAP client to look
> > up the pkcs#11 store for the client key as well as the client certificate to
> > establish a client authenticated TLS connection.
>
> If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss
> (--with-tls=moznss). Never tried that myself though.
>
> Ciao, Michael.


--
Mit freundlichen Grüßen,

Stefan Scheidewig

T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com

T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
Geschäftsführung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949