Re: OpenLDAP with ssl client certs
Ulrich Windl wrote:
>>> Michael Ströder<michael(a)stroeder.com> schrieb am
01.11.2013 um 19:26 in
> Unfortunately it's not that easy:
>
> Consider a (somewhat broken) "official" CA, which you definitely cannot
> avoid
> or fix and which issues client certs with non-unique subject-DNs. In this
> case
> one has to choose a certain client cert e.g. by issuer-DN/serial for the
> mapping.
CAs either accept the subject name in the certification request, or they deny
it, but they never change it.
Not true and also not relevant here.
> Also consider that you want to off-load revocation checking of
client certs
> to
> a external process for better performance. In this case you also need to
> distinguish client certs by some more information than just a subject-DN.
"you" is the process that handles CRLs. That process should be able to do it
properly.
What exactly do you want to say?
> Furthermore it's really not unusal to have several CAs which
issue client
> certs for different purposes. So IMHO it should be possible to map client
> certs by a certain CA only to a certain subset of authz-DNs.
That's also wrong: You don't have to observe the issuing CA, but the
certificate's attributes, like "X509v3 Key Usage".
Well, I'm not new to PKI but I don't get what you say.
I don't want to "observe the CA".
I just want to make sure that client certs issued by CA1 gets mapped to
certain authz-DNs (server objects in my case) and others issued by CA2 gets
mapped to other authz-DNs.
Did you really understand what I wrote?
Ciao, Michael.
Attachments:
- smime.p7s (application/pkcs7-signature — 2.3 KB)