10 Jan
2025
10 Jan
'25
10:22 p.m.
On 1/9/2025 8:00 PM, Sean Gallagher wrote:
As it stands, slapd does not check the server name on a client certificate, or client certificate chain. It only exposes the name to the access control rules. slapd will accept a connection from a client with ANY certificate signed by ANY CA in it's list.
Certificates are designed to provide authentication, not authorization. They let you prove who you are, but that says nothing about whether you should be allowed to perform a particular action.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris