[Date Prev][Date Next]
Re: Preliminary TLS/SSL success
Julio Sánchez Fernández wrote:
> ... I am still wondering about how to map data in the certificates to DNs.
It's a complex problem.
> For certificates granted by public commercial CAs, a direct mapping of those
> names into directory DNs may result impractical.
It's totally impractical, in my experience.
> On the other hand, approaches based on searching in the directory, limit
> severely the prospects of allowing granting of privileges in the directory
> to identities strongly verified but that correspond to DNs that do not
> reside in this particular directory. For instance, we are part of a large
> organization composed of several related, but legally and organizationally
> different, entities. We want to have controlled access from one part of the
> organization to the directories in other parts. That is, I want to believe
> the certificates granted at some other place and grant those identities
> access to my directory, but those subjects are not in my directory and I
> don't want to make a search against their directory just to accept the bind.
Why not? It has drawbacks, of course, but it has advantages, too. I wouldn't
reject it instantly.
Two other reasonable alternatives are:
- Search your own directory, to find an entry (probably created for this
purpose) whose DN will be the client's authorization identity. Perhaps the
client's authentication identity must match this entry; for example, the
client's certificate must be equal to a userCertificate;binary attribute of
- Extend your access control mechanism, to support an authorization identity
that is not the DN of a local directory entry. Netscape Directory Server
supports this; it's configured by allowing access to the members of a
groupOfCertificates. This mechanism is designed to support a security system
in which a client's certificate's subject DN is essentially a capability
list. Access is allowed if that list contains certain name/value pairs, which
are stated in a memberCertificateDescription attribute. For details, see