[Date Prev][Date Next]
Antw: Re: OpenLDAP with ssl client certs
>>> Howard Chu <firstname.lastname@example.org> schrieb am 01.11.2013 um 19:12 in Nachricht
> Michael StrÃder wrote:
>> Howard Chu wrote:
>>> Brent Bice wrote:
>>>> I was recently asked if we could use ssl client certs as a 2nd
>>>> of authentication with OpenLDAP and didn't know for sure. Is it
>>>> possible to have OpenLDAP require both a DN/password pair *and* a client
>>>> ssl cert?
>>> You can make the server require a client cert, but it won't use the
>>> certificate identity for anything unless you Bind with SASL/EXTERNAL.
>>> And naturally, if you're using SASL, then the DN/password pair is
>> In case of client certs the cert's subject-DN is the authc-DN which can be
>> directly used in authz-regexp which very much ties the mapping to
>> conventions of the PKI.
>> But in some cases it would be very handy to map a distinct client cert to
>> authz-DN by issuer-DN/serial or even by fingerprint. One use-case is cert
>> pinning of client certs and revocation checking done off-line.
>> Should I file an ITS for that?
> I would reject such an ITS. Cert-pinning is an issue for clients that have a
> very large collection of trusted CAs. The Admin Guide clearly states that
> servers should only trust a single CA - the CA that signed its own certs and
Sorry, but if you insist on that, you didn't understand the concept: Any
certificate signed (transitively) by a root CA is valid. There are no
distinctions between more or less valid certificates; they are either valid or
invalid. Even if you talk about a single CA, what do you mean? A name of a CA,
or one specific certificate of a CA? Over time one CA may have more than one
Please don't set up arbitrary restrictions or recommendations!
> the certs of its clients. In that case, no one else can issue a valid cert
> with the same subjectDN.
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/