[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP, SSL and client authentication

At 04:02 AM 5/31/2004, Antonio Ruiz Martínez wrote:
>"Kurt D. Zeilenga" wrote:
>> At 11:18 AM 5/21/2004, Antonio Ruiz Martínez wrote:
>> >Hello!
>> >
>> >    I'm a new user of OpenLDAP and I'm trying to configuring OpenLDAP
>> >with client's authentication.
>> >I think I have done the correct steps in order to configure OpenLDAP
>> >with SSL and only using the server authentication. I have read that the
>> >change in order to support client's authentication is to change the
>> >value of TLSVerifyClient. But my problem is the following:
>> >I would like to configure my directory with some public attributes and
>> >some private attributes for each user. And I would like everybody can
>> >read the public attributes and I would like that the private attributes
>> >can only read by the owner user. I would like to allow the user to read
>> >the private attributes when he is authenticated with the client's
>> >authentication over ssl. The problem is that besides the client's
>> >authetication he requests me the password and I wouldn't like to
>> >introduce a password because with the client's autenthication I can be
>> >sure the client is the correct user in order to access the private data.
>> >How can I solve my problem? Can you guide me, please?
>> Use SASL/EXTERNAL (as discussed in http://www.openldap.org/doc/admin22/tls.html).
>Thanks for your answer, but I've configured the ssl client's authentication, but it
>requests my the password.

Which password?  The password for your private TLS (SSL) key?  If so,
that's to be expected.  If you mean instead an LDAP password, that's
likely because you're telling the client to do LDAP simple bind
instead of a SASL EXTERNAL bind.

>Could you give me a reference how to configure

Aside from configuring TLS (SSL) to use client certificates
(see previously provided reference), there really isn't
configuration needed for SASL/EXTERNAL to used with SSL.
You just need to tell the client that's what you want to
do.  See its manual page for how to do that (hint: -Y).