Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form of authentication with OpenLDAP and didn't know for sure. Is it possible to have OpenLDAP require both a DN/password pair *and* a client ssl cert?
Regarding client certs you have two options:
1. Let the client use a client cert and SASL/EXTERNAL to bind to the LDAP server. Then use authz-regexp in the server's configuration to map the client cert to a authz-DN - ideally an existing entry. Depending on how your client certs are used you could consider this to be 2-factor authc, e.g. in case of client cert's key is stored on a smartcard with separate PIN.
2. Let the client use a client cert and simple bind with DN/password sent to the LDAP server. AFAIK you can't enforce that the client cert matches the bind-DN though. So regarding this as real 2-factor authc is somewhat questionable.
In any case you have to set up your server to correctly validate the client certs against a locally configured trusted CA cert.
Ciao, Michael.