Brent Bice wrote:
So, was I right in trying to use ~/.ldaprc to try to force ldapsearch (for instance) to use a cert for authentication? Running a sniffer and looking at the traffic, it doesn't look like ldapsearch is ever doing anything beyond an anonymous bind unless I specify -D and -W in which case it's binding and authenticating as normal rather than using a cert.
Use command-line option -Y EXTERNAL to make the tools send SASL/EXTERNAL bind as said before. Otherwise at LDAP level only simple bind or even anon bind gets used even if you used client cert at TLS level.
Then in your slapd.conf something like this:
# Cert-based authc-DN authz-regexp "(.+)" "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
Then you have to store the client cert's subject DN in attribute 'seeAlso' in LDAP DN string representation (openssl x509 -nameopt rfc2253).
I think the notion of using a client cert as a 2nd factor will get dropped
Again: The 2nd factor depends on whether you have smartcards at the client side or not.
Ciao, Michael.