[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: about userCertificate



hi, thank you Dieter Kluenter,

my question is due to the Revocation of  certificate-based authentication.
I don't known if OpenLDAP supports a revocationlist operation for
certificates distributed. I check the core.schema, and I found some
attributes like a certificateRevocationList, a userCertificate etc. I just
wonder how to enable it according to RFC2256.
any suggestion?!

thank you  and all friends being attentive to this topic!:-)

----- Original Message -----
From: "Dieter Kluenter" <dieter@dkluenter.de>
To: <openldap-software@OpenLDAP.org>
Sent: Tuesday, June 17, 2003 11:07 PM
Subject: Re: about userCertificate


> Hi,
>
> "alexela_1999" <alexela_1999@sina.com> writes:
>
> > anybody has used userCertificate for certificated authentication?! and
> > please , tell me , how to use this attribute ???
> > I built certificated authentication server, but server only recognize
> > certificates signed by CA, that's to say, certificates are authenticated
> > when connect using EXTERNAL, even if user dn does not exist in LDAP
server.
> > the userCertificate attribute seems to take no effect. anybody know how
to
> > built a userCertificate controled authentication?
>
> Authentication is done by sasl. If the user certifcate is validated, the
> user is authenticated and has the rights of an authenticated user,
> that is not depending on a users entry.
> If you want to grant access only by authenticated users which have an
> entry, you should declare it in access controls.
>
> Following is the output of an authenticated user with an entry.
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
> dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
> SASL/EXTERNAL authentication started
> SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
> SASL SSF: 0
> dn:cn=dieter kluenter,ou=partner,o=avci,c=de
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>
> -Dieter
>
> --
> Dieter Kluenter  | Systemberatung
> Tel:040.64861967 | Fax: 040.64891521
> mailto: dkluenter@schevolution.com
> http://www.schevolution.com/tour
>
>
>