Sean Gallagher wrote:
On 26/06/2023 7:40 pm, Howard Chu wrote:
That feature is already available using TLSVerifyClient in the slapd config.
Not really. Using the TLSVerifyClient mechanism could be made to work and would be a nice solution but it isn't there yet. To make this this work, you would need to pass to libldap, some type of specification of the names of legitimate clients. Then in the tls_o.c:tlso_verify_cb() function, compare the name on the client cert with the specification and return the pass/fail status back to the TLS layer. Then it would all "just work".
The average user might be surprised to learn that TLSVerifyClient does not currently involve checking the client's name. You would intuitively think that was pretty important.
The point of a certificate-based authentication system is not to have to implement authentication rules for each and every individual user. An LDAP server should only trust certificates issued by a single CA; that CA should only be issuing certs to valid users. Ideally, the LDAP server should be the CA, which is what slapo-autoca is designed for.
An LDAP server is not a web server or a client. There is no reason for it to trust certs from multiple CAs.
Pure nonsense.
Pure hubris.
It's sad when it takes a disaster to affect real change.
Pure ignorance.