On 26/06/2023 7:40 pm, Howard Chu wrote:
That feature is already available using TLSVerifyClient in the slapd config.
Not really. Using the TLSVerifyClient mechanism could be made to work and would be a nice solution but it isn't there yet. To make this this work, you would need to pass to libldap, some type of specification of the names of legitimate clients. Then in the tls_o.c:tlso_verify_cb() function, compare the name on the client cert with the specification and return the pass/fail status back to the TLS layer. Then it would all "just work".
The average user might be surprised to learn that TLSVerifyClient does not currently involve checking the client's name. You would intuitively think that was pretty important.
Pure nonsense.
Pure hubris.
It's sad when it takes a disaster to affect real change.