[Date Prev][Date Next]
TLS Client auth and ACL's, how to map certs to ACL or LDAP-users?
Openldap 2.2.13-2 (RHEL4) as LDAP server, let's say it's ldap.kimmo.local
Many FC3 servers, which should authenticate users against ldap using TLS
client authentication. Servers are serverN.kimmo.local where N is the number
from 1 to 10.
I have enrolled certs for ldap and other servers, TLS client and Server
authentication are working okay. Servers have certs with subject C=fi,
I would like to give those client authenticated servers read-write access to
the ldap, so changing passwors or adding users would be possible.
Now, without ACL's, I servers can read LDAP and thus users are able to login.
But changing password is not working, I think because default ACL's accept
only rootdn to write.
1. Do I have to create "users" to the LDAP which are the servers from 1 to 10,
for example uid=server1,ou=servers,o=myorg,c=fi.
2. How to map TLS client authenticated server to the ACL or LDAP user names so
I can give read-write rights to those servers. I guess ACL user names are
always users in LDAP, rootdn is the only non-LDAP account?
I tried with the following ACL:
access to *
by self write
by users write
by anonymous auth
but no luck, cannot read or write with this ACL.
Any ideas or pointers where to find examples or more information.
I don't have any experience from Openldap ACL's.