[Date Prev][Date Next] [Chronological] [Thread] [Top]

certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)

At 10:57 AM 2001-12-03, Kartik Subbarao wrote:
>One question -- does this implementation include the certificate
>mapping API capabilities that Netscape also provides, or would that
>need to be implemented separately?

I'm not sure exactly what features other vendors provide.  Can
you describe these?

>One of the things holding us back
>from using OpenLDAP more broadly is the current lack of ability to map
>an SSL client certificate to a DN in the directory, and use that DN in
>ACIs, etc.

This is actually possible today.  That is, when SASL EXTERNAL is
used with TLS (SSL), the TLS layer provides SASL with the
authentication identity (a DN), which is then mapped onto into
a LDAP authzid, which is then mapped to a subject DN for access
control evaluation.