[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL and client certificates



Moin,

Recently, I played with client cerfificated and SASL EXTERNAL mechanism.
There are some questions left:

AUTHENTICATION/AUTRORIZATION

I can authencticate with any certificate issued by a trusted CA found
c_rehashed in /etc/ssl/certs. (O'SSL compiled-in certs directory AND
slapd's TLSCACertificatePath here) Does this implies, that anybody with
a valid certificate e.g. issued by some public CA like Thwate or Verisign
is authorized as "users" in ACL terms?

Is only TLSCACertificatePath checked or OpenSSL's default directory also?

If so, how can I prevent this (or turn-off EXTERNAL mechanism completely
without rebuilding sasl)? For now, this is no problem here at all, but
'users' should be a delimited group, not anybody with a valid certificate.


X.509-DN/REWRITE

DN/subject of the certifitace is:
$ openssl x509 -noout -subject -in some.cer
subject= /CN=Adam Pordzik/emailAddress=me@my.dom

ldapwhoami returns:

$ ldapwhoami -H "ldap://ldap/"; -ZZ -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: emailAddress=me@my.dom,CN=Adam Pordzik,O=A Org
SASL SSF: 0
dn:email=me@my.dom,cn=adam pordzik,o=a org

So, DN is in reversed RFC2253 order. That's good, but who flipped it?
(AFAIK "openssl x509" sub-command also offers a switch to reverse
subject-DN, but I've never used it so far, therefor I am not sure,
whether this is only for displaying purposes.)

SASL username reports 1.2.840.113549.1.9.1 as "emailAddress", slapd maps
this AVA to "email". Why? And why can't I use "emailAddress" or
"pkcs9email" or at least its OID as defined in core.schema for DN-
rewriting?

Following works, but I suppose it wouldn't, if I change order of
attributes names in core.schema:

sasl-regexp
   email=([^,]*),cn=([^,]*)(,.*)?
   ldap:///ou=Users,ou=Accounts,dc=my,dc=dom??one?(&(mail=$1)(cn=$2))

$ ldapwhoami -H "ldap://ldap.lan.d-dt.de/"; -ZZ -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: emailAddress=me@my.dom,CN=Adam Pordzik,O=A Org
SASL SSF: 0
dn:cn=adam pordzik,ou=users,ou=accounts,dc=my,dc=dom

So, is there also a possibility to get a sasl bind-dn in the form of
...,cn=external,cn=auth, e.g. x509dn,cn=external,cn=auth

Is it possible accessing X.509 extensions subjectAltName's attributes?



Regards,

A