[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSL authentication
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Donn Cave
> We've been using a hack to simple bind to authenticate with SSL
> certificates, in 2.1 and 2.2, mainly so we could support client
> libraries on some MS Windows & MacOS X platforms that have SASL
> but no `external' option. The client basically just sends some
> standard stuff, that would not be valid in a normal simple bind,
> to signal it wants a certificate bind. It's 100 or so lines of
> extra code in bind.c, but mods to existing code are limited to
> one spot.
>
> I don't think it would require Cyrus SASL on the server, either,
> though I haven't tried it. The only obvious sasl requirement is
> slap_sasl_regexp().
>
> I'm guessing this may actually be a heresy and not what you meant,
> but it does work with any old LDAP client.
I used to have code for this in OpenLDAP 2.0 (pre-release); basically if the
client did a simple Bind with a DN and no password, and provided a client
cert, and the client cert DN matched the simple Bind DN then I treated it as
a successful authentication. That fell by the wayside when SASL/EXTERNAL came
along. Sometimes SASL gets to be enough of a headache that I'm tempted to
resurrect that code, but the current approach works...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support