[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preliminary TLS/SSL success

Julio Sánchez Fernández wrote:

> ... I am still wondering about how to map data in the certificates to DNs.

It's a complex problem.

> For certificates granted by public commercial CAs, a direct mapping of those
> names into directory DNs may result impractical.

It's totally impractical, in my experience.

> On the other hand, approaches based on searching in the directory, limit
> severely the prospects of allowing granting of privileges in the directory
> to identities strongly verified but that correspond to DNs that do not
> reside in this particular directory.  For instance, we are part of a large
> organization composed of several related, but legally and organizationally
> different, entities.  We want to have controlled access from one part of the
> organization to the directories in other parts.  That is, I want to believe
> the certificates granted at some other place and grant those identities
> access to my directory, but those subjects are not in my directory and I
> don't want to make a search against their directory just to accept the bind.

Why not?  It has drawbacks, of course, but it has advantages, too.  I wouldn't
reject it instantly.

Two other reasonable alternatives are:

- Search your own directory, to find an entry (probably created for this
purpose) whose DN will be the client's authorization identity.  Perhaps the
client's authentication identity must match this entry; for example, the
client's certificate must be equal to a userCertificate;binary attribute of
the entry.

- Extend your access control mechanism, to support an authorization identity
that is not the DN of a local directory entry.  Netscape Directory Server
supports this; it's configured by allowing access to the members of a
groupOfCertificates.  This mechanism is designed to support a security system
in which a client's certificate's subject DN is essentially a capability
list.  Access is allowed if that list contains certain name/value pairs, which
are stated in a memberCertificateDescription attribute.  For details, see