[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: client certificates -- howto?



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jeff Warnica

> The admin guide does a very good job describing how to
> configure client
> certificates - once their already set up. There is not so much as a
> description of the required objectclass/attribute to hold the public
> cert. I would like authentication to be done in the same manner as SSH
> using keys; every thing Ive read says that this is possible
> (and usualy "strongly recommend"), but nothing describes how to do it.

The Admin Guide tells you to use TLS and SASL/EXTERNAL. That's all there is
to it. There is no description of any required objectclass/attribute because
there is no such requirement when using certificates for authentication.
There is no description of how to create certificates in the first place,
because creating certificates is not a function of OpenLDAP; it's a function
of OpenSSL and is discussed in OpenSSL documentation, as well as many other
places. Try www.verisign.com if you want someone else to create them for you.

Once you have things configured as described in the Admin Guide,
	ldapsearch -Z -Y EXTERNAL
will perform authentication using your client cert. So will
	ldapsearch -H ldaps://<whatever> -Y EXTERNAL

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> On Sat, 2003-09-20 at 03:53, Dieter Kluenter wrote:
> > Hi,
> >
> > Jeff Warnica <jeffw@chebucto.ns.ca> writes:
> >
> > > Ive dugaround a bit, but I havent been able to find any (usefull)
> > > documentaion how how to login to OpenLDAP using client
> certificates. Is
> > > there a howto or any other documents hidden away somwhere?
> >
> > See the Administrator's Guide 11.1.2 Client Certificate
> > http://www.openldap.org/doc/admin21/tls.html
> > And search the archive of this list, it has been posted several
> > times.