[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Support for extensible certificate mapping

I think that this kind of mapping belongs below SASL, as
suggested in your dnX509peerNormalize override solution.

At 01:53 AM 9/19/2004, Luke Howard wrote:

>We'd like to plug in an extensible certificate mapping function into
>slapd, for clients that do SASL EXTERNAL binds over TLS.
>The function requires both the certificate issuer and subject DNs, as
>well as possibly the set of subjectAltNames. So it's not possible to
>express the certificate mapping function as a SASL regex rule in the
>current implementation (which just normalizes the subject DN).
>It seems like overriding dnX509peerNormalize() would give us the most
>flexibility. I tried this and it appears that internal searches (which
>we would need to perform the mapping) don't work -- I can debug this
>further of course, but would appreciate some input first as to whether
>this is an appropriate hook. I would propose a native OpenLDAP API like:
>int register_certificate_map_function(int (*fn)(void *ssl, struct berval *dn));
>Another possibility would be to enable a mode where the EXTERNAL DN
>was something like:
>        subjectDN=%s,issuerDN=%s,cn=EXTERNAL,cn=auth
>which could be processed by SASL regexp rules. The problem with this
>approach is that it would need to be optional to not break existing
>deployments, and it also doesn't give us access to subjectAltName
>which would be desirable in our application.
>-- Luke