[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL with TLS Authentication



On Tuesday 12 March 2002 17:05, David H. Hawes wrote:
| Thanks for the patch--it worked like a charm.  I also tried using the
| 2.1alpha code, but could not get TLS anything working.  That may require
| some more tinkering on my part.
|
| Out of curiosity, what do I gain from SASL EXTERNAL TLS auth that I cannot
| get from putting the following in my slapd.conf:
|
| 	TLSVerifyClient 1
| 	security ssf=128
|
| 	access to *
| 		by ssf=128 { read | write | etc.}
|
| I would only trust certs that I gave out and require confidentiality
| (security ssf=128).
|
| I ask this because it seems that using either really only comes down to
| configuration options in slapd.conf.
|

You can use the subject of the certificate in an ACL or in a group, for 
instance:

dn: cn=administrators, dc=rentec,dc=com
objectClass: top
objectClass: groupofNames
member: uid=/C=US/ST=New York/L=East Setauket/O=Renaissance Technologies Corp.
 /CN=Karsten Kuenne/Email=kuenne@rentec.com
member: ....
member: ....
cn: administrators


It'll probably become much more useful with 2.1 but you can start already 
today.

-- 
Karsten.

"Things should be made as simple as possible, but not any simpler."
  -Albert Einstein