[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication of both proxy and client

I would like users to access a resource by supplying username and
password, and have the resource use LDAP for user authentication.
I would like the resource to be authenticated first, and then I
would like the resource to hand username/password to the LDAP
server, thus delegating the user authentication to the LDAP server.

If I understand SASL correctly, it won't do user authentication,
only authorization. What I would like I think, is for the resource/
proxy to use TLS with certificate authentication, and then have the
resource bind on behalf of the user with the username/password the
user supplied. This is possible to do today; the only thing I miss,
is a way to refer to attributes and values in the client certificate
in ACLs. That might be useful in other situations as well, or?

Does this make any sense, or should I consider a completely diffe-
rent solution? I suppose some would say that I should have the
resource retrieve encrypted passwords (or other data) from the LDAP
server, and validate the credentials on its own.