[Date Prev][Date Next]
Re: client certificates -- howto?
Jeff Warnica <email@example.com> writes:
> The admin guide does a very good job describing how to configure client
> certificates - once their already set up. There is not so much as a
> description of the required objectclass/attribute to hold the public
> cert. I would like authentication to be done in the same manner as SSH
> using keys; every thing Ive read says that this is possible (and usualy
> "strongly recommend"), but nothing describes how to do it.
> On Sat, 2003-09-20 at 03:53, Dieter Kluenter wrote:
>> Jeff Warnica <firstname.lastname@example.org> writes:
>> > Ive dugaround a bit, but I havent been able to find any (usefull)
>> > documentaion how how to login to OpenLDAP using client certificates. Is
>> > there a howto or any other documents hidden away somwhere?
>> See the Administrator's Guide 11.1.2 Client Certificate
>> And search the archive of this list, it has been posted several
OK. Just a simple method to authenticate against openldap:
1. create user certificates with a DN matching the DN in the DIT
2. sign this certificates with your cacert
3. distribute cacert.pem to your hosts
4. create ~/.ldaprc files with TLS entries according to man ldap.conf
5. start authenticating, using sasl EXTERNAL mechanism and forcing TLS
dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
SASL username is extracted from the certificate.
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521