Howard Chu hyc@symas.com schrieb am 01.11.2013 um 19:12 in Nachricht
Michael Ströder wrote:
Howard Chu wrote:
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd
form
of authentication with OpenLDAP and didn't know for sure. Is it possible to have OpenLDAP require both a DN/password pair *and* a client ssl cert?
You can make the server require a client cert, but it won't use the certificate identity for anything unless you Bind with SASL/EXTERNAL.
http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL
And naturally, if you're using SASL, then the DN/password pair is
ignored.
BTW:
In case of client certs the cert's subject-DN is the authc-DN which can be directly used in authz-regexp which very much ties the mapping to
subject-DN
conventions of the PKI.
But in some cases it would be very handy to map a distinct client cert to
a
authz-DN by issuer-DN/serial or even by fingerprint. One use-case is cert pinning of client certs and revocation checking done off-line.
Should I file an ITS for that?
I would reject such an ITS. Cert-pinning is an issue for clients that have a
very large collection of trusted CAs. The Admin Guide clearly states that servers should only trust a single CA - the CA that signed its own certs and
Sorry, but if you insist on that, you didn't understand the concept: Any certificate signed (transitively) by a root CA is valid. There are no distinctions between more or less valid certificates; they are either valid or invalid. Even if you talk about a single CA, what do you mean? A name of a CA, or one specific certificate of a CA? Over time one CA may have more than one certificate.
Please don't set up arbitrary restrictions or recommendations!
Regards, Ulrich
the certs of its clients. In that case, no one else can issue a valid cert with the same subjectDN.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/