[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ssl client certs

Brent Bice wrote:
>    I was recently asked if we could use ssl client certs as a 2nd form of
> authentication with OpenLDAP and didn't know for sure.  Is it possible to have
> OpenLDAP require both a DN/password pair *and* a client ssl cert?

Regarding client certs you have two options:

1. Let the client use a client cert and SASL/EXTERNAL to bind to the LDAP
server. Then use authz-regexp in the server's configuration to map the client
cert to a authz-DN - ideally an existing entry. Depending on how your client
certs are used you could consider this to be 2-factor authc, e.g. in case of
client cert's key is stored on a smartcard with separate PIN.

2. Let the client use a client cert and simple bind with DN/password sent to
the LDAP server. AFAIK you can't enforce that the client cert matches the
bind-DN though. So regarding this as real 2-factor authc is somewhat questionable.

In any case you have to set up your server to correctly validate the client
certs against a locally configured trusted CA cert.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature