Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not? I'd like to do an ACL such as
to attrs=userPassword by peername.ip="1.2.3.0%255.255.255.0" auth by client_ssf="64" auth
Also set olcTLSVerifyClient=try
This will let our internal network authenticate against ldap without needing a client cert, but anyone outside our internal network must have one. We would then use our own CA to create certificates for all the clients and tell OpenLDAP to trust only that CA. Obviously client_ssf doesnt exist, but is there another way of accomplishing this goal?
-Patrick
Patrick Hemmer wrote:
Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not?
This is usually not done via ACLs.
Basically you define an appropriate authz-regexp to map the subject DN of the cert (part of authc-DN) to an LDAP entry DN (authz-DN). Then your client has to send a SASL bind request with mechanism EXTERNAL.
Ciao, Michael.
Sent: Tue Jun 05 2012 15:59:40 GMT-0400 (EDT) From: Michael Ströder michael@stroeder.com To: Patrick Hemmer openldap@stormcloud9.net openldap-technical@openldap.org Subject: Re: ACL rule match if client certificate was used?
Patrick Hemmer wrote:
Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not?
This is usually not done via ACLs.
Basically you define an appropriate authz-regexp to map the subject DN of the cert (part of authc-DN) to an LDAP entry DN (authz-DN). Then your client has to send a SASL bind request with mechanism EXTERNAL.
Ciao, Michael.
Unfortunately I'm not using SASL, I'm doing simple binds.
-Patrick
On 2012-06-05 13:42, Patrick Hemmer wrote:
Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not? I'd like to do an ACL such as
to attrs=userPassword by peername.ip="1.2.3.0%255.255.255.0" auth by client_ssf="64" auth
Also set olcTLSVerifyClient=try
This will let our internal network authenticate against ldap without needing a client cert, but anyone outside our internal network must have one. We would then use our own CA to create certificates for all the clients and tell OpenLDAP to trust only that CA. Obviously client_ssf doesnt exist, but is there another way of accomplishing this goal?
I wrote a proof of concept dynacl that essentially does this. The ACL looked something like:
access to attrs=userPassword by dynacl/clientAuth auth
All the dynacl does is determine if there is an authid in the SASL context. If so, a client certificate was used and access can be granted.
Examples of dynacls can be found in contrib/slapd-modules/acl.
Sent: Tue Jun 05 2012 17:39:03 GMT-0400 (EDT) From: David Hawes dhawes@vt.edu To: openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: ACL rule match if client certificate was used?
On 2012-06-05 13:42, Patrick Hemmer wrote:
Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not? I'd like to do an ACL such as
to attrs=userPassword by peername.ip="1.2.3.0%255.255.255.0" auth by client_ssf="64" auth
Also set olcTLSVerifyClient=try
This will let our internal network authenticate against ldap without needing a client cert, but anyone outside our internal network must have one. We would then use our own CA to create certificates for all the clients and tell OpenLDAP to trust only that CA. Obviously client_ssf doesnt exist, but is there another way of accomplishing this goal?
I wrote a proof of concept dynacl that essentially does this. The ACL looked something like:
access to attrs=userPassword by dynacl/clientAuth auth
All the dynacl does is determine if there is an authid in the SASL context. If so, a client certificate was used and access can be granted.
Examples of dynacls can be found in contrib/slapd-modules/acl.
Hrm, this sounds promising. I'll take a look down this route.
Thanks :-)
-Patrick
openldap-technical@openldap.org
-
David Hawes -
Michael Ströder -
Patrick Hemmer