Re: TLS Client auth and ACL's, how to map certs to ACL or LDAP-users?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:16 PM 3/23/2005, Kimmo Koivisto wrote:
>Questions:
>1. Do I have to create "users" to the LDAP which are the servers from 1 to 10, 
>for example uid=server1,ou=servers,o=myorg,c=fi. 

The answer to this question depend on the directory application
and its configuration.

>2. How to map TLS client authenticated server to the ACL or LDAP user names so 
>I can give read-write rights to those servers.

If your LDAP client is establishing its credentials via TLS and
advising the server to use an identity associated with those
credentials for directory authorization via the SASL EXTERNAL
mechanism, then one can use this identity directly in server
ACLs.  ldapwhoami(1) is useful to determine what identity the
server is using for directory authorization purposes.

>I guess ACL user names are always users in LDAP,

Subject DNs do not necessarily name entries in the directory.

>rootdn is the only non-LDAP account?

The rootdn does not necessarily name an entry in the directory,
but it certain can.

>I tried with the following ACL:
>access to *
>by self write
>by users write
>by anonymous auth

I assume your actual ACL has white space in front of each by
clause as you'd have a configuration error otherwise.

>but no luck, cannot read or write with this ACL. 

Well, assuming this is the only ACL, and its properly placed
in the configuration file, and the failure is due to insufficient
access rights, I'd guess your client is anonymous.

Kurt