[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication of both proxy and client

At 11:32 AM 2001-10-22, Stig Venaas wrote:
>Thanks for your answer. I'll try to explain a bit further what I'm
>thinking below. I'm not really looking for people to do the thinking
>for me, but some comments on what is possible, or what could be
>worth implementing would be good.
>On Mon, Oct 22, 2001 at 09:52:50AM -0700, Kurt D. Zeilenga wrote:
>> mechanism specific.  The gateway can play man-in-the-middle
>> (with weak mechanisms) or the gateway must authenticate the
>> client itself but may use information stored in the directory.
>> The latter (with simple password mechanisms) can be accomplished
>> today through use of an LDAP-enabled SASL features at the
>> gateway.
>Right, my idea was the former, but will consider the latter. I would
>like to restrict who can act like gateways. The former combined with
>TLS (no SASL) and client certificate verification, satisfy my wishes
>if I create my own special CA to sign certificates for the gateways,

Here you have client/gateway TLS authentication.

>and make only that CA known to the LDAP server.

And use gateway/server TLS authentication.

>If I could restrict
>simple bind based on contents of the TLS client certificate (the CN

No need to use simple bind.  The client was authenticated
to the gateway using TLS certificates, the gateway to the server
using TLS certificates.  The gateway can now use SASL EXTERNAL
specifying the client's identity in the authzid.  Then all you
need is policy that allows the gateway to assert this authzid
(or "access to the resource").

>I could use a CA that also issues certificates to others. 
>Ideally I think as much as possible of the context/state should be
>available as ACL subjects. Right now I'm looking for the best
>solution regardless of what is currently implemented...
>In my case the gateway is a resource, and I want to control access
>to the resource based on data in LDAP, that is, I want to do both
>authentication and authorization of users based on LDAP data. I was
>hoping to do all the work in LDAP with ACLs.

The authorization proxy policy is established in HEAD orthogonal
to ACLs.

>If I use SASL to
>authenticate the user at the gateway, I can still have the LDAP
>server do the user authorization when the gateway tries to do a
>SASL bind and specifies the user as authorization id maybe? That
>is, gateway G should only be able to bind as user X if data
>associated with X has certain values.