Re: Support for extensible certificate mapping

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

I think that this kind of mapping belongs below SASL, as
suggested in your dnX509peerNormalize override solution.

At 01:53 AM 9/19/2004, Luke Howard wrote:

>We'd like to plug in an extensible certificate mapping function into
>slapd, for clients that do SASL EXTERNAL binds over TLS.
>
>The function requires both the certificate issuer and subject DNs, as
>well as possibly the set of subjectAltNames. So it's not possible to
>express the certificate mapping function as a SASL regex rule in the
>current implementation (which just normalizes the subject DN).
>
>It seems like overriding dnX509peerNormalize() would give us the most
>flexibility. I tried this and it appears that internal searches (which
>we would need to perform the mapping) don't work -- I can debug this
>further of course, but would appreciate some input first as to whether
>this is an appropriate hook. I would propose a native OpenLDAP API like:
>
>int register_certificate_map_function(int (*fn)(void *ssl, struct berval *dn));
>
>Another possibility would be to enable a mode where the EXTERNAL DN
>was something like:
>
>        subjectDN=%s,issuerDN=%s,cn=EXTERNAL,cn=auth
>
>which could be processed by SASL regexp rules. The problem with this
>approach is that it would need to be optional to not break existing
>deployments, and it also doesn't give us access to subjectAltName
>which would be desirable in our application.
>
>-- Luke
>
>--