Hi OpenLDAP team,
I am investigating writing a module to perform certificate validation as has been discussed in previous posts (See the "Proposal to strengthen slapd EXTERNAL authentication" thread on the openldap-technical@openldap.org list).
The idea is to inspect the subject name on the client certificate as soon as possible after TLS is established and close the connection if it does not match some predefined pattern. This would allow client certificates signed by public CAs to be used safely with slapd.
Looking through the code, I see that dnX509peerNormalize() is called almost immediately after the TLS is established and that it may be handled by a callable handler installed by the register_certificate_map_function() entry point. This would be an ideal place to inspect the certificate. The only problem being it that there is no way to "reject" a certificate and force the connection to be closed.
It may be possible to use the ssl context passed into the dnX509peerNormalize() function to close the connection but this would not be very clean and likely have undesirable side effects. What would be good is if dnX509peerNormalize() could return a particular error code to signal that the connection should be immediately closed.
I see that LDAP_INVALID_CREDENTIALS is already used to signal benign invalid credentials.
Maybe a new error code is required. something like "LDAP_HOSTILE_CREDENTIALS".
connection.c: connection_read() could then detect this and close the connection in an orderly fashion by calling
connection_closing( c, "TLS Client certificate rejected" ); connection_close( c );
This would seem to be a generally useful thing to have in the slapd core. Is this something the OpenLDAP project would consider doing?
Sean.