[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)
From: Kartik Subbarao <kartik_subbarao@hp.com>
Date: Mon, 03 Dec 2001 17:59:45 -0500
Cc: openldap-devel@OpenLDAP.org
References: <5.1.0.14.0.20011203113722.016ea868@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120

Kurt D. Zeilenga wrote:

At 10:57 AM 2001-12-03, Kartik Subbarao wrote:

One question -- does this implementation include the certificate
mapping API capabilities that Netscape also provides, or would that
need to be implemented separately?


I'm not sure exactly what features other vendors provide.  Can
you describe these?

The docs for the Netscape certificate mapping API that I'm referring to are here:

http://docs.iplanet.com/docs/manuals/certificate/index.htm

Basically, it allows you to customize the certificate-to-DN mapping process very flexibly. For example, let's say that

1) Each employee's certificate has the following attributes:

OU=Employment Status - Employees
uid=employee_mail@corp.com

2) Each server certificate has the following attributes:

OU=Servers
cn=servername.corp.com

3) The LDAP Directory has the following structure:

ou=Employees, o=corp.com => contains Employee entries
ou=Servers, o=corp.com => contains Server entries

Now, let's say you want to be able to map employee and server certificates to the appropriate entries in the directory. The certificate mapping API lets you write code to pull out the OU attribute from the cert, and make custom decisions on it, like the following:

ou = get_ou_from_cert();
if (ou == "Employment Status - Employees") {
  uidattr = get_uid_from_cert();
  entry = ldap_search(base => "ou=Employees, o=corp.com",
                      filter => "(uid=" uidattr ")");
}
else if (ou == "Servers") {
  cnattr = get_cn_from_cert();
  entry = ldap_search(base => "ou=Servers, o=corp.com",
                      filter => "(cn=" cnattr ")");

}
dn = entry->get_dn();

Then you can use the DN as the mapped DN for the purpose of ACI rules,
etc.

One of the things holding us back
from using OpenLDAP more broadly is the current lack of ability to map

an SSL client certificate to a DN in the directory, and use that DN in
ACIs, etc.


This is actually possible today.  That is, when SASL EXTERNAL is
used with TLS (SSL), the TLS layer provides SASL with the
authentication identity (a DN), which is then mapped onto into
a LDAP authzid, which is then mapped to a subject DN for access
control evaluation.


Well, that sounds a lot more involved than the standard SSL client
certificate-based authentication. We need to be able to support clients
that make the following kind of API call:

http://docs.iplanet.com/docs/manuals/dirsdk/csdk41/html/function.htm#26024

This is the ldapssl_clientauth_init() function, which would be invoked with client certificate information. Also equivalent is the -K option to Netscape's ldapsearch command. Is this something that OpenLDAP could support?

Caveat: my SSL/TLS expertise is not as high as most
folks in this august forum, so please be kind if I screwed up and
oversimplified something :-)

	-Kartik

Follow-Ups:
- RE: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: DN_SUBTREE indexing
Next by Date: RE: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)
Index(es):
- Chronological
- Thread