> -----Original Message----- > From: owner-openldap-software@OpenLDAP.org > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Milind Khandekar > Hmm, so let me restate my requirement: > Requirement: > > Use OpenLDAP with TLS, with server supplying digital > certificate and "demand"ing client certificate. Based on > client certificate, bind the client application to an entry. > > Like Howard and Kent say, my LDAP client application does get > authenticated to the server. And I don't need to involve > SASL at all. Not true; the SASL library is still involved even though it does (next to) nothing in this case. You must perform a SASL Bind with the EXTERNAL mechanism in order to authenticate using the certificates. > However, I have the following default access > control mechanism: > > access to * > by self write > by users read > by anonymous auth > > The way I read the above policy is that if I created an > entry, I can write to it, others can only read. So, if one > client application created, say, three entries of a > particular objectClass, only that application can modify it. No. "self" means the one entry whose DN matches your authentication DN. It does *not* mean "all entries I created." It also means, if you want to use TLS certificates for authentication and to control access to some directory entries, then the DN in the certificate must correspond to the DN of a directory entry. Or you must use saslRegexp to map from the certificate DN to the directory entry DN. -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support
<<attachment: winmail.dat>>