[Date Prev][Date Next]
Re: SASL External : certificates stored in LDAP
Michael Ströder wrote:
Mitrana Cristian wrote:
I think this idea is plain wrong. If the cert will be stored in the
DIT, what kind of authentication is that ? Every bind operation that
request a SASL/EXTERNAL will be auth'ed based on the cert, i.e. every
client that knows a DN which auhtenticates with SASL/EXTERNAL and has
the cert stored on the server will can authenticate as the DN.
Doesn't this defeat the purpose of the authentication ?
Correct my if I'm wrong, just my 2cents.
You still need the appropriate private key for the user certificate
during connecting with SSL/TLS. This is the credential - not the X.509
Right ! My mistake, I just confused the things a little bit. Anyway,
since this requires the client to have private key on his end, it might
as well have the certificate.