[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL and client certificates

--On Monday, May 01, 2006 5:16 PM +0200 Adam Pordzik <adresseverbummelt@gmx.de> wrote:


Recently, I played with client cerfificated and SASL EXTERNAL mechanism.
There are some questions left:


I can authencticate with any certificate issued by a trusted CA found
c_rehashed in /etc/ssl/certs. (O'SSL compiled-in certs directory AND
slapd's TLSCACertificatePath here) Does this implies, that anybody with
a valid certificate e.g. issued by some public CA like Thwate or Verisign
is authorized as "users" in ACL terms?

Is only TLSCACertificatePath checked or OpenSSL's default directory also?

If so, how can I prevent this (or turn-off EXTERNAL mechanism completely
without rebuilding sasl)? For now, this is no problem here at all, but
'users' should be a delimited group, not anybody with a valid certificate.

I ran into the same issue with SASL/GSSAPI (anyone who connects with a valid K5 ticket from my realm is a "user"). Because of this, I do not use "user" anywhere in my ACLs.

However, I also exploit this feature of OpenLDAP to use the SASL DN's of connections that do not map into my user space to it so I can give some SASL connections read access to various entries without them having entries in the database.

dn:email=me@my.dom,cn=adam pordzik,o=a org

So, DN is in reversed RFC2253 order. That's good, but who flipped it?
(AFAIK "openssl x509" sub-command also offers a switch to reverse
subject-DN, but I've never used it so far, therefor I am not sure,
whether this is only for displaying purposes.)

If you understand DN structure in LDAP (i.e., the order of importance) then it should become obvious why the order is reversed to create a valid DN.

Following works, but I suppose it wouldn't, if I change order of
attributes names in core.schema:

You should never modify core.schema.


$ ldapwhoami -H "ldap://ldap.lan.d-dt.de/"; -ZZ -Y EXTERNAL

I will note that since you have a sasl-regexp (authz-regexp in OL 2.3+), you can essentially create a "users" set by doing:

access to <whatever>
  by dn.children="ou=Users,ou=Accounts,dc=my,dc=dom"

(What is dc=dom, by the way? dc=com? :) ).

So, is there also a possibility to get a sasl bind-dn in the form of
...,cn=external,cn=auth, e.g. x509dn,cn=external,cn=auth

Not with SASL/EXTERNAL. SASL/EXTERNAL uses the DN of the cert.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html