[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do tool verify certs with ldapi:// ?

To: Michael Ströder <michael@stroeder.com>
Subject: Re: How do tool verify certs with ldapi:// ?
From: Philip Guenther <guenther+ldaptech@sendmail.com>
Date: Mon, 28 May 2012 02:25:44 -0700
Cc: Peter Marschall <peter@adpm.de>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1338197197; bh=w+tonBgTVv4LiBV+Uk0t4MWoiGtuN2dkNuf/6GcAvR0=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type:Content-Transfer-Encoding; b=j147Kdfz1Al4FmGTPk+KzwAdlbVNYB+e0njOxNBSNr+7dieSPXxJq9a3fJohI0TMV 39dBkX6eDsg8wlkH2RU4OTEUcvkFgENFvlx4jN1qlgF7QFRk6Zp5WxseLLt7gPxTUA SHFjdPTlFdd7qhUt+gLQTgrdN5evdqPlqmIlNgHc=
In-reply-to: <4FC3375E.5040809@stroeder.com>
References: <201205280955.46138.peter@adpm.de> <4FC3375E.5040809@stroeder.com>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Mon, 28 May 2012, Michael Ströder wrote:
> Peter Marschall wrote:
> > how do the openldap tools technically verfify certificates with ldapi:// ?
> 
> Which certs do you want to verify?

I assume the answer is "the one the server returns when you do StartTLS on 
the ldapi:// connection".

It's pretty unusual to do that, of course.  The normal solution for 
authenticating the server in the ldapi case is to put the socket somewhere 
that only the trusted user can write to, so you know that the socket you 
connected to is trusted.

If that's not a sufficient option, and verifying certs is required, then 
it appears the code will treat the socket path as the hostname to verify 
for.  For OpenSSL, for example, that means it'll compare it against any 
DNS: subjectAltNames as well as against the last CN component of the cert 
subject.

(A related question is what slapd will use as your authentication id for 
SASL EXTERNAL if you do TLS with a client cert on an ldapi socket: will it 
use the cert's subject or the "gidNumber=%d+uidNumber=%d,...etc" DN of the 
ldapi connection.  The former seems like the obvious choice, being the 
"more recent" of the two in this case, and a quick look at the slapd code 
would seem to confirm that...but I would test it before designing a system 
to depend on it...)

Philip Guenther

Follow-Ups:
- Re: How do tool verify certs with ldapi:// ?
  - From: Peter Marschall <peter@adpm.de>

References:
- How do tool verify certs with ldapi:// ?
  - From: Peter Marschall <peter@adpm.de>
- Re: How do tool verify certs with ldapi:// ?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: How do tool verify certs with ldapi:// ?
Next by Date: Re: How do tool verify certs with ldapi:// ?
Index(es):
- Chronological
- Thread