[Date Prev][Date Next]
Re: SASL EXTERNAL and client certificates
--On Monday, May 01, 2006 8:44 PM +0200 Adam Pordzik
Quanah Gibson-Mount wrote:
Is only TLSCACertificatePath checked or OpenSSL's default directory
I ran into the same issue with SASL/GSSAPI (anyone who connects with a
valid K5 ticket from my realm is a "user"). Because of this, I do not
use "user" anywhere in my ACLs.
However, I also exploit this feature of OpenLDAP to use the SASL DN's of
"Exploiting" a "feature"? :)
connections that do not map into my user space to it so I can give some
SASL connections read access to various entries without them having
entries in the database.
Yes, and the same with users in sasldb and maybe other sasl backends.
But I don't think this is comparable. Normally you have ascendancy over
accounts created in there, but I don't know about Identities Verisign
This would just subvert the meaning of "users".
But if slapd doesn't care about /etc/ssl/certs (I don't know libssl)
this wouldn't be a problem. Does an explicit TLSCACertificatePath
prevent libssl from evaluating CA-certificates in /etc/ssl/certs?
OpenLDAP only cares about the certificates it has been told to trust with
the TLSCA* commands (whether that is the path variable or the file
dn:email@example.com,cn=adam pordzik,o=a org
So, DN is in reversed RFC2253 order. That's good, but who flipped it?
(AFAIK "openssl x509" sub-command also offers a switch to reverse
subject-DN, but I've never used it so far, therefor I am not sure,
whether this is only for displaying purposes.)
If you understand DN structure in LDAP (i.e., the order of importance)
then it should become obvious why the order is reversed to create a
I'm not sure, whether I understand you. Which structure? Which order?
The usual Hierarchy? I don't know X500 well, but AFAIK it just starts
with the left-most AVA whereas LDAP-DNs on the right. Is there more to
Nope, that is exactly it.
So, it's slapd itself who reverses subject's DN, right? (And what about
Correct, it is slapd reversing the subject DN. No idea what it does with
multi-valued AVA's. ;)
$ ldapwhoami -H "ldap://ldap.lan.d-dt.de/" -ZZ -Y EXTERNAL
I will note that since you have a sasl-regexp (authz-regexp in OL 2.3+),
you can essentially create a "users" set by doing:
access to <whatever>
Yes. It's just another point. And more typing, especially with multiple
naming contexts... :) Generally, I agree that unmapped authzid's allow
a finer grained access control.
> (What is dc=dom, by the way? dc=com? :) ).
dc=exaple,dc=org is so much typing too... :)
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html