[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: client certificates -- howto?
Hi,
Jeff Warnica <jeffw@chebucto.ns.ca> writes:
> The admin guide does a very good job describing how to configure client
> certificates - once their already set up. There is not so much as a
> description of the required objectclass/attribute to hold the public
> cert. I would like authentication to be done in the same manner as SSH
> using keys; every thing Ive read says that this is possible (and usualy
> "strongly recommend"), but nothing describes how to do it.
>
> On Sat, 2003-09-20 at 03:53, Dieter Kluenter wrote:
>> Hi,
>>
>> Jeff Warnica <jeffw@chebucto.ns.ca> writes:
>>
>> > Ive dugaround a bit, but I havent been able to find any (usefull)
>> > documentaion how how to login to OpenLDAP using client certificates. Is
>> > there a howto or any other documents hidden away somwhere?
>>
>> See the Administrator's Guide 11.1.2 Client Certificate
>> http://www.openldap.org/doc/admin21/tls.html
>> And search the archive of this list, it has been posted several
>> times.
OK. Just a simple method to authenticate against openldap:
1. create user certificates with a DN matching the DN in the DIT
2. sign this certificates with your cacert
3. distribute cacert.pem to your hosts
4. create ~/.ldaprc files with TLS entries according to man ldap.conf
5. start authenticating, using sasl EXTERNAL mechanism and forcing TLS
dieter@marin:~> ldapwhoami -Y EXTERNAL -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=Dieter Kluenter,OU=partner,O=avci,C=de
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
SASL username is extracted from the certificate.
-Dieter
--
Dieter Kluenter | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de