[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ssl client certs

Howard Chu wrote:
> Brent Bice wrote:
>>      I was recently asked if we could use ssl client certs as a 2nd form
>> of authentication with OpenLDAP and didn't know for sure.  Is it
>> possible to have OpenLDAP require both a DN/password pair *and* a client
>> ssl cert?
> You can make the server require a client cert, but it won't use the
> certificate identity for anything unless you Bind with SASL/EXTERNAL.
> http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL
> And naturally, if you're using SASL, then the DN/password pair is ignored.


In case of client certs the cert's subject-DN is the authc-DN which can be
directly used in authz-regexp which very much ties the mapping to subject-DN
conventions of the PKI.

But in some cases it would be very handy to map a distinct client cert to a
authz-DN by issuer-DN/serial or even by fingerprint.  One use-case is cert
pinning of client certs and revocation checking done off-line.

Should I file an ITS for that?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature