On 26/06/2023 7:40 pm, Howard Chu wrote:
That feature is
already available using TLSVerifyClient in the slapd config.
Not really. Using the TLSVerifyClient mechanism could be made to
work and would be a nice solution but it isn't there yet. To make
this this work, you would need to pass to libldap, some type of
specification of the names of legitimate clients. Then in the
tls_o.c:tlso_verify_cb() function, compare the name on the client
cert with the specification and return the pass/fail status back to
the TLS layer. Then it would all "just work".
The average user might be surprised to learn that TLSVerifyClient
does not currently involve checking the client's name. You would
intuitively think that was pretty important.
Pure nonsense.
Pure hubris.
It's sad when it takes a disaster to affect real change.
