[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: certificate mapping (Was: Netscape SLAPI -- IBM contribution to OpenLDAP)
Howard Chu wrote:
I'm not intimately familiar with the Netscape SDK, but I note that the URL
you reference indicates that the ldapssl_clientauth_init() function is part
of a deprecated API. If you look at Chapter 12 of their manual, "Connecting
Over SSL" they also talk about using a SASL EXTERNAL bind to establish
client authentication with SSL.
The short answer is that whatever Netscape is doing to handle client
authentication with SSL but without SASL is not part of any standard LDAP
specification, and therefore OpenLDAP doesn't handle it. OpenLDAP supports
the standard method, which is to use SASL/EXTERNAL.
As I read it, the deprecated aspect of that particular function call is
merely that it is thread-unsafe, and requires more static
configuration. ldapssl_pkcs_init() is the new recommended function call
to use:
http://docs.iplanet.com/docs/manuals/dirsdk/csdk41/html/function.htm#1011532
This function, added in version 4.0 of the LDAP C SDK, provides
better SSL initialization than the previous ldapssl_*_init() SSL
initialization functions ldapssl_client_init(),
ldapssl_clientauth_init(), and ldapssl_advclientauth_init().
The function ldap_pcks_init() is preferred over these previous
initialization because it is thread-safe, while the other
ldapssl_*_init() functions are not.
I don't think it can be inferred from this that ordinary SSL client
certificate-based authentication is to be deprecated as a whole in
favor of SASL EXTERNAL binds. (If this is the case, please point me to
where this is stated so that I can learn).
On a related note, do you know how one might use the OpenLDAP
ldapsearch command in conjunction with a client certificate? In other
words, is there something like:
ldapsearch --keyfile /tmp/privatekey.pem ... cn=foo
(The analog on Netscape's side right now is the -K argument to specify
the private key file, along with -Z to specify SSL and -P to specify
the certificate file).
If this is possible, my next question is where would the server decide
how to map the certificate presented to a DN in the directory. (The
analog to Netscape's certificate mapping interface).
Thanks,
-Kartik