[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: web apps and client certificate authentication



Kurt Zeilenga wrote:
> The web application should just authenticate as itself and then use
> proxy authorization to act on behalf of the client.
> Of course, it has to be authorized to do so.
>
>> But it would be nicer to actually have the client authenticate to slapd
>> using its own client certificate.
> 
> Why?

I also concur that it would be nice to have a end-to-end authentication
between web client and LDAP server without giving the web application
special rights.

> Generally, the web application is part of the service which 
> encompasses the web server and directory service.  They should
> already have an appropriate trust relationship.

BTW: This is a very broad assumption not valid in all deployments.
Nevertheless it's always good practice to avoid overly powerful system
components since in this case the web application could have security
problems.

Kerberos with forwardable tickets could be a solution. One could argue
that as a forwardable ticket is a full TGT you also have to trust the
web application a little bit more. But given the limited lifetime of
TGTs the risk is significantly lower than long-time service credentials
for the web application together with the right for doing proxy
authorization.

Ciao, Michael.