Re: client certificates -- howto?

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Jeff Warnica <jeffw@chebucto.ns.ca> writes:

> The admin guide does a very good job describing how to configure client
> certificates - once their already set up. There is not so much as a
> description of the required objectclass/attribute to hold the public
> cert. I would like authentication to be done in the same manner as SSH
> using keys; every thing Ive read says that this is possible (and usualy
> "strongly recommend"), but nothing describes how to do it.
>
> On Sat, 2003-09-20 at 03:53, Dieter Kluenter wrote:
>> Hi,
>> 
>> Jeff Warnica <jeffw@chebucto.ns.ca> writes:
>> 
>> > Ive dugaround a bit, but I havent been able to find any (usefull)
>> > documentaion how how to login to OpenLDAP using client certificates. Is
>> > there a howto or any other documents hidden away somwhere?
>> 
>> See the Administrator's Guide 11.1.2 Client Certificate
>> http://www.openldap.org/doc/admin21/tls.html
>> And search the archive of this list, it has been posted several
>> times. 

OK. Just a simple method to authenticate against openldap:
1. create user certificates with a DN matching the DN in the DIT
2. sign this certificates with your cacert
3. distribute cacert.pem to your hosts
4. create ~/.ldaprc files with TLS entries according to man ldap.conf
5. start authenticating, using sasl EXTERNAL mechanism and forcing TLS

dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

SASL username is extracted from the certificate.

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de