Re: OpenLDAP with ssl client certs

Brent Bice wrote: Regarding client certs you have two options: 1. Let the client use a client cert and SASL/EXTERNAL to bind to the LDAP server. Then use authz-regexp in the server's configuration to map the client cert to a authz-DN - ideally an existing entry. Depending on how your client certs are used you could consider this to be 2-factor authc, e.g. in case of client cert's key is stored on a smartcard with separate PIN. 2. Let the client use a client cert and simple bind with DN/password sent to the LDAP server. AFAIK you can't enforce that the client cert matches the bind-DN though. So regarding this as real 2-factor authc is somewhat questionable. In any case you have to set up your server to correctly validate the client certs against a locally configured trusted CA cert. Ciao, Michael.