[Date Prev][Date Next]
Re: SASL External : certificates stored in LDAP
* Francois Beretti <firstname.lastname@example.org> [17-03-03 11:42]:
> Hello all
> is it planned[/possible] in future developpement to let the
> SASL/EXTERNAL mecanism directly work with user certificates stored in
> the OpenLDAP directory, instead of having them stored in the user
> filesystem ?
> or is it better to keep this concept off of the mecanism ? : if somebody
> wants it, he must make his own client that will first retrieve the
> userCertificate anonymously before starting an authenticated
I think this idea is plain wrong. If the cert will be stored in the
DIT, what kind of authentication is that ? Every bind operation that
request a SASL/EXTERNAL will be auth'ed based on the cert, i.e. every
client that knows a DN which auhtenticates with SASL/EXTERNAL and
has the cert stored on the server will can authenticate as the DN.
Doesn't this defeat the purpose of the authentication ?
Correct my if I'm wrong, just my 2cents.