Howard Chu wrote: > Brent Bice wrote: >> I was recently asked if we could use ssl client certs as a 2nd form >> of authentication with OpenLDAP and didn't know for sure. Is it >> possible to have OpenLDAP require both a DN/password pair *and* a client >> ssl cert? > > You can make the server require a client cert, but it won't use the > certificate identity for anything unless you Bind with SASL/EXTERNAL. > > http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL > > And naturally, if you're using SASL, then the DN/password pair is ignored. BTW: In case of client certs the cert's subject-DN is the authc-DN which can be directly used in authz-regexp which very much ties the mapping to subject-DN conventions of the PKI. But in some cases it would be very handy to map a distinct client cert to a authz-DN by issuer-DN/serial or even by fingerprint. One use-case is cert pinning of client certs and revocation checking done off-line. Should I file an ITS for that? Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature