Re: web apps and client certificate authentication

[Kurt Zeilenga <Kurt@OpenLDAP.org>]

On Jan 11, 2009, at 11:22 AM, Emmanuel Dreyfus wrote:

> Kurt Zeilenga <Kurt@OpenLDAP.org> wrote:
>
> > Why?  Generally, the web application is part of the service which
> > encompasses the web server and directory service.  They should  
> > already
> > have an appropriate trust relationship.
>
> When using plain password authentication, the web app can just hands  
> the
> DN and password to slapd, it does not need any special privilege.

But a bug in the web app could not only give access the directory for  
all subsequent users of the web app, but also to other information/ 
services protected by the user and password information available via  
that web application.

> If the web app is entrusted with an authzTo: *, then a bug in it could
> be used to get full directory access.
>
>
> > > That is, having the web application
> > > behaving as a kind of proxy, without any special privilege on the
> > > directory. Is that possible? If it is, where should I start?
> > Would require cooperation between the web server and the directory
> > server.  So nothing gained, IMO, except complexity.
>
> This would be complexity in an unprivilegied piece of code, rather  
> than
> giving trust to an application.

Not necessarily.  The level of cooperation necessary, I believe, is so  
that the web app would have to be "trusted".  And that's no better  
than the proxy authzid use case.

> Both approaches have merits. In order to
> really compare them, one need an idea of the complexity.
>
> How would one implement that kind of "proxy certificate  
> authentication"?

I leave this as an exercise to someone who strong knowledge of TLS and  
its certificate-based authentication.  I'm only saying it that it's  
likely possible, at least, in theory.  I don't think it's practical.

-- Kurt