Re: OpenLDAP with ssl client certs
On 11/01/2013 12:12 PM, Howard Chu wrote:
I would reject such an ITS. Cert-pinning is an issue for clients
that
have a very large collection of trusted CAs. The Admin Guide clearly
states that servers should only trust a single CA - the CA that signed
its own certs and the certs of its clients. In that case, no one else
can issue a valid cert with the same subjectDN.
Thanks to everyone for their comments. Greatly appreciated and
confirmed some of my suspicions about trying to use certs as an actual
2nd factor.
So, was I right in trying to use ~/.ldaprc to try to force
ldapsearch (for instance) to use a cert for authentication? Running a
sniffer and looking at the traffic, it doesn't look like ldapsearch is
ever doing anything beyond an anonymous bind unless I specify -D and -W
in which case it's binding and authenticating as normal rather than
using a cert.
I think the notion of using a client cert as a 2nd factor will get
dropped (at least for now - grin) but my curiosity is piqued enough that
I probably will still tinker with getting slapd to validate a client
cert (just for my own edjimication) and want to be sure I'm actually
correctly getting the client to use the client cert. :-)
Brent