SSL authentication

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Donn Cave

> We've been using a hack to simple bind to authenticate with SSL
> certificates, in 2.1 and 2.2, mainly so we could support client
> libraries on some MS Windows & MacOS X platforms that have SASL
> but no `external' option.  The client basically just sends some
> standard stuff, that would not be valid in a normal simple bind,
> to signal it wants a certificate bind.  It's 100 or so lines of
> extra code in bind.c, but mods to existing code are limited to
> one spot.
>
> I don't think it would require Cyrus SASL on the server, either,
> though I haven't tried it.  The only obvious sasl requirement is
> slap_sasl_regexp().
>
> I'm guessing this may actually be a heresy and not what you meant,
> but it does work with any old LDAP client.

I used to have code for this in OpenLDAP 2.0 (pre-release); basically if the
client did a simple Bind with a DN and no password, and provided a client
cert, and the client cert DN matched the simple Bind DN then I treated it as
a successful authentication. That fell by the wayside when SASL/EXTERNAL came
along. Sometimes SASL gets to be enough of a headache that I'm tempted to
resurrect that code, but the current approach works...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support