[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: web apps and client certificate authentication

To: openldap-technical@openldap.org
Subject: Re: web apps and client certificate authentication
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 12 Jan 2009 14:14:39 +0100
In-reply-to: <183C0F1B-CB3C-4C9F-866F-CE4C2FD07C10@OpenLDAP.org>
References: <1iteaqi.1jlyr6p3oad29M%manu@netbsd.org> <183C0F1B-CB3C-4C9F-866F-CE4C2FD07C10@OpenLDAP.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14

Kurt Zeilenga wrote:
> 
> On Jan 11, 2009, at 11:22 AM, Emmanuel Dreyfus wrote:
> 
>> Kurt Zeilenga <Kurt@OpenLDAP.org> wrote:
>>
>>> Why?  Generally, the web application is part of the service which
>>> encompasses the web server and directory service.  They should already
>>> have an appropriate trust relationship.
>>
>> When using plain password authentication, the web app can just hands the
>> DN and password to slapd, it does not need any special privilege.
> 
> But a bug in the web app could not only give access the directory for
> all subsequent users of the web app, but also to other
> information/services protected by the user and password information
> available via that web application.

I thought a lot about the risks introduced by a web-based LDAP
application. If a web application does not store user and password
information because it keeps LDAP connections persistent in a web
session then the risk is significantly lower than having a long-term
service credential with a lot of power. (You might already have guessed
web2ldap does it like this ;-)

>>>> That is, having the web application
>>>> behaving as a kind of proxy, without any special privilege on the
>>>> directory. Is that possible? If it is, where should I start?
>>> Would require cooperation between the web server and the directory
>>> server.  So nothing gained, IMO, except complexity.
>>
>> This would be complexity in an unprivilegied piece of code, rather than
>> giving trust to an application.
> 
> Not necessarily.  The level of cooperation necessary, I believe, is so
> that the web app would have to be "trusted".  And that's no better than
> the proxy authzid use case.

Kurt, one has to specify in detail "trusted for what". IMO proxy
authorization is much more powerful than e.g. HTTP authentication with
SPNEGO/Kerberos with the service being trusted to receive forwardable
tickets (TGTs).

>> Both approaches have merits. In order to
>> really compare them, one need an idea of the complexity.
>>
>> How would one implement that kind of "proxy certificate authentication"?
> 
> I leave this as an exercise to someone who strong knowledge of TLS and
> its certificate-based authentication.  I'm only saying it that it's
> likely possible, at least, in theory.  I don't think it's practical.

I don't know of any existing mechanism one could use. Maybe a
challenge-response SASL mech which uses Javascript signing at the
client's side.

Ciao, Michael.

References:
- Re: web apps and client certificate authentication
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: web apps and client certificate authentication
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

Prev by Date: Re: web apps and client certificate authentication
Next by Date: ppolicy in openldap
Index(es):
- Chronological
- Thread