[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL with a smartcard



Hi Kurt,

Thank you very much for your answer. I am not easy at all with TLS and
OpenLDAP hacking, and I don't know how TLS can expose interfaces. I
will post about this on specific forums and see what I can do.

Regards,

François Beretti


2006/2/17, Kurt D. Zeilenga <Kurt@openldap.org>:
> At 01:56 AM 2/17/2006, François Beretti wrote:
> >I know that this is quite off topic, but I am wondering how to use
> >SASL/EXTERNAL authentication with a certificate stored on a smartcard.
> >
> >For me it is not under the entire responsibility of the ssl library,
> >since the LDAP library provide the certificate file, using the
> >ldap.conf rules. When using a smartcard, you don't use a certificate
> >file, since everything is in the smartcard, and not in the filesystem.
> >So it seems that the LDAP library is uncompatible with smartcard TLS
> >authentication.
> >
> >Am I wrong ?
> >Does someone have any link toward a way to achieve this ?
>
> In our external I-D management for SASL, we merely ask TLS
> if there is a user certificate.  We don't care whether it
> came from a file or not.
>
> Now, TLS needs access to the user certificate and generally
> relies on calling routines to provide the certificate
> location via a file name.  We do this through ldap.conf(5)
> mechanisms.  If TLS exposes another interface for providing
> user certificates, OpenLDAP could certainly be extended
> to support that interface.   In which case, feel free
> to code something up and/or file an ITS for a feature
> enhancement.
>
> Kurt
>
>
>
>