Greetings.
On 28 Jun 2023, at 3:41, Jordan Brown wrote:
On 6/27/2023 7:14 PM, Quanah Gibson-Mount wrote:
Using a public CA for client certs seems very odd to me.
Depends on your use case. Think of it as a form of federated login.
Indeed. I've done something similar in the past (this was with access to a web service rather than an LDAP server, but the logic is the same).
Some of my users had, and knew how to use, X.509 certs issued by a large computing grid. So I got my server to trust the CA's cert, and listed the DNs allowed access. The grid CA did the legwork of setting up the PKI and checking the users, and I piggybacked on that, feeling rather smart. Unfortunately, not _all_ of the relevant users had those certs, so I still had to set up a local CA, which meant it ended up more trouble than it was in fact worth.
Best wishes,
Norman