Brent Bice wrote: > I was recently asked if we could use ssl client certs as a 2nd form of > authentication with OpenLDAP and didn't know for sure. Is it possible to have > OpenLDAP require both a DN/password pair *and* a client ssl cert? Regarding client certs you have two options: 1. Let the client use a client cert and SASL/EXTERNAL to bind to the LDAP server. Then use authz-regexp in the server's configuration to map the client cert to a authz-DN - ideally an existing entry. Depending on how your client certs are used you could consider this to be 2-factor authc, e.g. in case of client cert's key is stored on a smartcard with separate PIN. 2. Let the client use a client cert and simple bind with DN/password sent to the LDAP server. AFAIK you can't enforce that the client cert matches the bind-DN though. So regarding this as real 2-factor authc is somewhat questionable. In any case you have to set up your server to correctly validate the client certs against a locally configured trusted CA cert. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature