[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access ... by certificate=...

To: Howard Chu <hyc@symas.com>
Subject: Re: access ... by certificate=...
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sun, 22 Apr 2007 21:11:29 +0200
Cc: openldap-devel@openldap.org
In-reply-to: <46296F70.4010209@symas.com>
References: <hbf.20070420ll82@bombur.uio.no> <46296F70.4010209@symas.com>

Howard Chu writes:
> Hallvard B Furuseth wrote:
>> Could we add an 'access ... by' variant for the client's TLS
>> certificate, _without_ Bind:SASL/EXTERNAL?
>> (To the cert's DN, I expect, but I don't know much about
>> certificates.  Maybe there are other things to look at as well.)
>>
>> That could be used to authenticate a service (an LDAP client)
>> rather than the user it Binds as, when the service asks the user
>> for password and Binds with his DN and password.
>> (...)
> This sounds like a special case of proxy authorization. Can't you just
> use that?

Not that I can see.  man slapd.conf says under authz-policy:
    Proxy authorization (...) essentially allows user A
    to login as user B, using user A's password.
But I want the service to authenticate the user with his own
credentials and identify itself with its credentials, and use
both identities for access control in a single access statement.

A more general description would be, grant access based on the
DN which would be used if the client were to do Bind:SASL/EXTERNAL,
or possibly the DN which would be passed to authz-regexp.

access to ...  by self extdn=<certificate's DN> write  by * read

-- 
Regards,
Hallvard

Follow-Ups:
- Re: access ... by certificate=...
  - From: Howard Chu <hyc@symas.com>

References:
- access ... by certificate=...
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: access ... by certificate=...
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: access ... by certificate=...
Next by Date: Re: access ... by certificate=...
Index(es):
- Chronological
- Thread