[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)

I'm not intimately familiar with the Netscape SDK, but I note that the URL
you reference indicates that the ldapssl_clientauth_init() function is part
of a deprecated API. If you look at Chapter 12 of their manual, "Connecting
Over SSL" they also talk about using a SASL EXTERNAL bind to establish
client authentication with SSL.

The short answer is that whatever Netscape is doing to handle client
authentication with SSL but without SASL is not part of any standard LDAP
specification, and therefore OpenLDAP doesn't handle it. OpenLDAP supports
the standard method, which is to use SASL/EXTERNAL.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kartik Subbarao
> Sent: Monday, December 03, 2001 3:00 PM
> To: Kurt D. Zeilenga
> Cc: openldap-devel@OpenLDAP.org

> > This is actually possible today.  That is, when SASL EXTERNAL is
> > used with TLS (SSL), the TLS layer provides SASL with the
> > authentication identity (a DN), which is then mapped onto into
> > a LDAP authzid, which is then mapped to a subject DN for access
> > control evaluation.
> Well, that sounds a lot more involved than the standard SSL client
> certificate-based authentication. We need to be able to support clients
> that make the following kind of API call:
> http://docs.iplanet.com/docs/manuals/dirsdk/csdk41/html/function.htm#26024
> This is the ldapssl_clientauth_init() function, which would be
> invoked with
> client certificate information. Also equivalent is the -K option
> to Netscape's
> ldapsearch command. Is this something that OpenLDAP could support?
> Caveat: my SSL/TLS expertise is not as high as most
> folks in this august forum, so please be kind if I screwed up and
> oversimplified something :-)
> 	-Kartik