[Date Prev][Date Next]
Re: ACL rule match if client certificate was used?
On 2012-06-05 13:42, Patrick Hemmer wrote:
> Is there any way to create an ACL rule which will match if a client
> certificate was used on the connection or not?
> I'd like to do an ACL such as
> to attrs=userPassword
> by peername.ip="220.127.116.11%255.255.255.0" auth
> by client_ssf="64" auth
> Also set olcTLSVerifyClient=try
> This will let our internal network authenticate against ldap without
> needing a client cert, but anyone outside our internal network must have
> one. We would then use our own CA to create certificates for all the
> clients and tell OpenLDAP to trust only that CA.
> Obviously client_ssf doesnt exist, but is there another way of
> accomplishing this goal?
I wrote a proof of concept dynacl that essentially does this. The ACL
looked something like:
access to attrs=userPassword
by dynacl/clientAuth auth
All the dynacl does is determine if there is an authid in the SASL
context. If so, a client certificate was used and access can be granted.
Examples of dynacls can be found in contrib/slapd-modules/acl.