[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Re: OpenLDAP with ssl client certs

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>, <michael@stroeder.com>, "Howard Chu" <hyc@symas.com>
Subject: Antw: Re: OpenLDAP with ssl client certs
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Mon, 04 Nov 2013 08:54:12 +0100
Content-disposition: inline
In-reply-to: <5273EF18.3070700@symas.com>
References: <5273D6A8.5010500@sgi.com> <5273DFED.8050606@symas.com> <5273EAA7.1060001@stroeder.com> <5273EF18.3070700@symas.com>

>>> Howard Chu <hyc@symas.com> schrieb am 01.11.2013 um 19:12 in Nachricht
<5273EF18.3070700@symas.com>:
> Michael StrÃder wrote:
>> Howard Chu wrote:
>>> Brent Bice wrote:
>>>>       I was recently asked if we could use ssl client certs as a 2nd
form
>>>> of authentication with OpenLDAP and didn't know for sure.  Is it
>>>> possible to have OpenLDAP require both a DN/password pair *and* a client
>>>> ssl cert?
>>>
>>> You can make the server require a client cert, but it won't use the
>>> certificate identity for anything unless you Bind with SASL/EXTERNAL.
>>>
>>> http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL 
>>>
>>> And naturally, if you're using SASL, then the DN/password pair is
ignored.
>>
>> BTW:
>>
>> In case of client certs the cert's subject-DN is the authc-DN which can be
>> directly used in authz-regexp which very much ties the mapping to
subject-DN
>> conventions of the PKI.
>>
>> But in some cases it would be very handy to map a distinct client cert to
a
>> authz-DN by issuer-DN/serial or even by fingerprint.  One use-case is cert
>> pinning of client certs and revocation checking done off-line.
>>
>> Should I file an ITS for that?
> 
> I would reject such an ITS. Cert-pinning is an issue for clients that have a

> 
> very large collection of trusted CAs. The Admin Guide clearly states that 
> servers should only trust a single CA - the CA that signed its own certs and


Sorry, but if you insist on that, you didn't understand the concept: Any
certificate signed (transitively) by a root CA is valid. There are no
distinctions between more or less valid certificates; they are either valid or
invalid. Even if you talk about a single CA, what do you mean? A name of a CA,
or one specific certificate of a CA? Over time one CA may have more than one
certificate.

Please don't set up arbitrary restrictions or recommendations!

Regards,
Ulrich


> 
> the certs of its clients. In that case, no one else can issue a valid cert 
> with the same subjectDN.
> 
> -- 
>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com 
>    Director, Highland Sun     http://highlandsun.com/hyc/ 
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Antw: Re: OpenLDAP with ssl client certs
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- OpenLDAP with ssl client certs
  - From: Brent Bice <bbice@sgi.com>
- Re: OpenLDAP with ssl client certs
  - From: Howard Chu <hyc@symas.com>
- Re: OpenLDAP with ssl client certs
  - From: Michael Ströder <michael@stroeder.com>
- Re: OpenLDAP with ssl client certs
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: ldap users shows up in user list, but unable to login
Next by Date: Antw: Re: OpenLDAP with ssl client certs
Index(es):
- Chronological
- Thread