RE: User certs checking

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: tsg [mailto:tsg@bugalux.com]
 
> Среда 05 Март 2003 22:11, Вы написали:
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of tsg
> > >
> > > hi all!
> > > 1. As I understood, openldap (v 2.1.12) when verifying user
> > > certificate,
> > > checks only CA, signed sertificate, but not the certificate
> > > itself and not
> > > the user dn in it. Is it true? How can make openldap 
> check the user
> > > certificate and user DN?
> >
> > The user certificate is checked. The DN in the certificate 
> is extracted and
> > its syntax is checked. An invalid DN is rejected. 
> Ordinarily, you cannot
> > create a cert with an invalid DN, so it's very rare for the 
> DN to get
> > rejected.

> I'v made a sertificate for, let say user jonh with DN: 
> uid=jonh,ou=Users,dn=example,dn=com. Openldap checked this 
> sertificate and 
> assept uset jonh (bind DN==cert DN). Then I changed user (bind DN: 
> uid=jim,ou=Users,dc=example,dc=com i.e. NOT cert DN). I made 
> connection to 
> ldap server using the same certificate (issued for jonh) and openldap 
> accepted new user with wrong cert DN.
> For me it's not good because I hope to use serts as main user 
> auth tool.

The certificate DN is only used for authentication if your LDAP Bind used SASL EXTERNAL. Otherwise it is ignored. When you use SASL for LDAP Binds, the LDAP Bind DN is ignored.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support