[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

To: Dan White <dwhite@olp.net>
Subject: Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
From: Stefan Scheidewig <sese@mms-dresden.de>
Date: Mon, 17 Jun 2013 16:54:06 +0200
Cc: stefan.scheidewig@t-systems.com, openldap-technical@openldap.org
In-reply-to: <20130617134812.GA6825@dan.olp.net>
Organization: T-Systems Multimedia Solutions GmbH
References: <51BEC830.4080104@mms-dresden.de> <20130617134812.GA6825@dan.olp.net>
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6

It seems that this special configuration is not possible.
Trying to set the key will always result in

TLS: could not use key file `xyz'.

TLS: error:02001002:system library:fopen:No such file or directorybss_file.c:398

TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400

TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system libssl_rsa.c:648

The ldap code has to be adjusted to use a key or certificate from aconfigured pkcs#11 keystore.


Is there another way to accomplish that?

Am Montag, 17. Juni 2013 15:48:13 schrieb Dan White:

On 06/17/13 10:26 +0200, Stefan Scheidewig wrote:

Hello,

we have two LDAP instances. LDAP A acts as proxy for LDAP B using the
ldap-backend. Now we configured LDAP B to use client authentication.
We successfully established a connection to LDAP B using OpenSSL
s_client and the PKCS#11 engine (OpenSSL engine library). Now we want
the LDAP proxy to establish the connection using this pkcs11 engine
(we compiled the ldap proxy to use OpenSSL as TLS implementation). Is
there a posibility to tell the LDAP proxy to use the certificate and
key from the smartcard (e.g. something like pkcs11:slot_1-id_42) ?


I don't know. However, you could try to set tls_key=slot_1-id_42, but
since
OpenLDAP does not provide a configurable engine selection (to my
knowledge), you'd need to find some way to set the engine to pkcs11,
perhaps with an environment variable or via a default config option in
/etc/openssl/, or via some openssl compile option.




--
Mit freundlichen GrÃÃen,

Stefan Scheidewig

T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com

T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
GeschÃftsfÃhrung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949

Follow-Ups:
- Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Dan White <dwhite@olp.net>

References:
- OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Stefan Scheidewig <sese@mms-dresden.de>
- Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
Next by Date: Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
Index(es):
- Chronological
- Thread