[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL External : certificates stored in LDAP



Le mar 18/03/2003   12:43, Mitrana Cristian a écrit :
> * Francois Beretti <francois.beretti@enatel.com> [17-03-03 11:42]:
>  
> > Hello all
> > 
> > is it planned[/possible] in future developpement to let the
> > SASL/EXTERNAL mecanism directly work with user certificates stored in
> > the OpenLDAP directory, instead of having them stored in the user
> > filesystem ?
> > 
> > or is it better to keep this concept off of the mecanism ? : if somebody
> > wants it, he must make his own client that will first retrieve the
> > userCertificate anonymously before starting an authenticated
> > communication
> > 
> 
>  I think this idea is plain wrong. If the cert will be stored in the
> DIT, what kind of authentication is that ? Every bind operation that
> request a SASL/EXTERNAL will be auth'ed based on the cert, i.e. every
> client that knows a DN which auhtenticates with SASL/EXTERNAL and 
> has the cert stored on the server will can authenticate as the DN.
>  Doesn't this defeat the purpose of the authentication ?
>  Correct my if I'm wrong, just my 2cents.
> 

I disagree with you. The private key is mandatory to perform an
authentication based on certificates. And the owner of a certificate is
the only one who own the private key.
Certificate are public stuff and are often stored in directories, to let
other people verify signatures from the owner or encrypt messages to the
owner.
Only the owner of the private key can decrypt data sent by the server.
If somebody try to authenticate with a certificate that he does'nt own,
he will not be able to decrypt the data sent by the server, since he
does'nt have the private key. So the communication will died immediatly

Best,

Francois

> regards,
> mitu