Dieter Kluenter wrote:
There are adminstration clients that do support tls and startTLS and most of extend operations.
Well, one has to be careful regarding security aspects of TLS with client cert authentication. No matter you use LDAP, HTTPS or whatever this only makes sense if the clients are operated by human end-users who *interactively* enter a passphrase for a private key stored on disk or a PIN for a private key stored in a smartcard.
If you have private keys without a passphrase on disk this is no more secure than having a password for a bind-DN on disk in a config file. In both cases only local file permissions protect the client credential from being abused.
Using client cert authc with SASL/EXTERNAL for a web-based LDAP client authenticates the user running the web application. Using client authc with HTTPS is of no use except you fully trust the web application to correctly implement Proxy Authorization. I currently don't know any Open Source web-based LDAP client which does that.
Ciao, Michael.