[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

Michael StrÃder wrote:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11
URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the
ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM
encoded file (see function tlsg_ctx_init in tls_g.c) and a connection
initialization fails trying to read the PKCS#11 URI from the local file system.

So currently there seems to be no way to configure the OpenLDAP client to look
up the pkcs#11 store for the client key as well as the client certificate to
establish a client authenticated TLS connection.

If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss
(--with-tls=moznss). Never tried that myself though.

Or submit appropriate GnuTLS or OpenSSL patches to add the feature.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/