[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication of both proxy and client

On Mon, Oct 22, 2001 at 09:58:43PM +0200, Michael Ströder wrote:
> Stig Venaas wrote:
> > 
> > I would
> > like to restrict who can act like gateways. The former combined with
> > TLS (no SASL) and client certificate verification, satisfy my wishes
> > if I create my own special CA to sign certificates for the gateways,
> > and make only that CA known to the LDAP server.
> Creating a special (sub-)CA for implementing the authorization
> scheme of the gateway looks odd to me (maybe I misunderstood
> something).

Yes, I think you misunderstood, but it was my own fault. When I said
client certificate verification, I was thinking of the gateway as
the client in the TLS sessions between gateway and server. It would
be a way to restrict who can access it.

> the support for this. Today I'm just restricting gateway use based
> on client-certs by checking a simple regex for subject and issuer DN
> string representation. (Stig, we can discuss that on Monday if you'd
> like to.)

Yes, I would like to have something like this for the LDAP server
side to restrict LDAP server use. If I can't check for subject
and issuer, the best thing I can think of, is to have a special
CA like I mentioned above.

Would love to discuss on Monday if possible, much easier with some
hand-waving and a whiteboard.

> Do I have to use SASL to authenticate the user at the gateway?

You can use any scheme you like between user and gateway.

> Is it possible to simply pass the client certificate's subject DN
> (which string form?) in a SASL bind to the LDAP server to act like
> this user?

The way I understand it, SASL can be used for authentication between
gateway and LDAP server (could be used between user and gateway too),
and the gateway simply states that it would like to act on behalf of
some user. SASL checks the credentials for authentication, and LDAP
server checks if that particular gateway is allowed to act on behalf
of said user. The LDAP server expects the gateway to do the necessary
user authentication. Well, that was an attempt at explaining. Not
sure if I got it right.

> How does the LDAP server map this certificate subject DN to the
> user's entry DN?

When using TLS and SASL/EXTERNAL, I think you can write a regexp
rule to turn it into a user DN, but I don't think the DN need to
be an existing entry, it's just something you can refer to in
ACLs. Again, this is just what I think so far. I hope someone can
point out any misconceptions (: