[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)

Howard Chu wrote:

I'm not intimately familiar with the Netscape SDK, but I note that the URL
you reference indicates that the ldapssl_clientauth_init() function is part
of a deprecated API. If you look at Chapter 12 of their manual, "Connecting
Over SSL" they also talk about using a SASL EXTERNAL bind to establish
client authentication with SSL.

The short answer is that whatever Netscape is doing to handle client
authentication with SSL but without SASL is not part of any standard LDAP
specification, and therefore OpenLDAP doesn't handle it. OpenLDAP supports
the standard method, which is to use SASL/EXTERNAL.

As I read it, the deprecated aspect of that particular function call is merely that it is thread-unsafe, and requires more static configuration. ldapssl_pkcs_init() is the new recommended function call to use:


    This function, added in version 4.0 of the LDAP C SDK, provides
    better SSL initialization than the previous ldapssl_*_init() SSL
    initialization functions ldapssl_client_init(),
    ldapssl_clientauth_init(), and ldapssl_advclientauth_init().

    The function ldap_pcks_init() is preferred over these previous
    initialization because it is thread-safe, while the other
    ldapssl_*_init() functions are not.

I don't think it can be inferred from this that ordinary SSL client certificate-based authentication is to be deprecated as a whole in favor of SASL EXTERNAL binds. (If this is the case, please point me to where this is stated so that I can learn).

On a related note, do you know how one might use the OpenLDAP ldapsearch command in conjunction with a client certificate? In other words, is there something like:

ldapsearch --keyfile /tmp/privatekey.pem ... cn=foo

(The analog on Netscape's side right now is the -K argument to specify the private key file, along with -Z to specify SSL and -P to specify the certificate file).

If this is possible, my next question is where would the server decide how to map the certificate presented to a DN in the directory. (The analog to Netscape's certificate mapping interface).