[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL and client certificates





Kurt D. Zeilenga wrote:
At 08:16 AM 5/1/2006, Adam Pordzik wrote:
Moin,

Recently, I played with client cerfificated and SASL EXTERNAL mechanism.
There are some questions left:

AUTHENTICATION/AUTRORIZATION

I can authencticate with any certificate issued by a trusted CA found
c_rehashed in /etc/ssl/certs.

Yes.

(O'SSL compiled-in certs directory AND
slapd's TLSCACertificatePath here) Does this implies, that anybody with
a valid certificate e.g. issued by some public CA like Thwate or Verisign
is authorized as "users" in ACL terms?

If those CAs are "trusted" (see first question), yes.

Is only TLSCACertificatePath checked or OpenSSL's default directory also?

Former.

[...]

Use of TLS+EXTERNAL is limited to valid certificates issued
by a trusted CA.  Limit your trust in CAs to limit user
certificates.

Hmm. When I place e.g a selfsigned.cer in /etc/ssl/certs (which is not TLSCACertificatePath) on slapd's host, it will be taken for authenti= cation and authorizaition. Same for a (Sub-)CA, I can use for signing my own certificates, below and alongside slapd's host cert-chain, allowed me issuing a client certificate for e.g.

cn=Manager,dc=my,dc=dom

and it's use from any host for EXTERNAL authorization. I think this is
at least a little risky without a proper rewriting rule. (Only tested
with certificates which only extensions are non-critical basicConstraints
with CA:true/false and no pathlen)


Regards,

A

--