[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Client - Server Authentication Using Certificates
Hi,
Thanks for your reply, that was exactly what I needed!
I have spent today trying to implement this and have come across two
small problems and hence questions.
Please note that I have substituted my actual hostname for host.invalid.
The first problem is with my certificate. Due to the computing policy we
have here, the CN in the subject of the certificate is
CN=host/host.invalid and hence when I try to do the ldapsearch I obtain
the following error message.
TLS: hostname (host.invalid) does not match common name in certificate
(host/host.invalid).
The first question would be, is it possible to "tune" this with the ldap
configuration or does it make an assumption that the name on the
certificate has to be the same as the hostname.
To get past this problem I created my own CA and created a certificate
with CN=host.invalid.
This seamed to get me a little further but it failed with the following
error.
ldap_interactive_sasl_bind_s: server supports: PLAIN LOGIN
ldap_int_sasl_bind: PLAIN LOGIN
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method
So I guess that there is still something wrong with the configuration
but even after reading chapter 10 and 11 of the admins guide I can't
work out what needs to be done. What I am trying to do is give the ldap
database global read access but only letting the client with a certain
certificate write data.
So my second questions is what do I need to add to the configuration to
enable this to be done. I have append the relevant lines from the
configuration files to the end of this mail.
Thanks for you help.
Laurence
ldap.conf
TLS_CACERT /etc/grid-security/certificates/fa3af1d7.0
TLS_CERT /etc/grid-security/hostcert.pem
TLS_KEY /etc/grid-security/hostkey.pem
slapd.conf
TLSCACertificateFile /etc/grid-security/certificates/fa3af1d7.0
TLSCertificateFile /etc/grid-security/hostcert.pem
TLSCertificateKeyFile /etc/grid-security/hostkey.pem
TLSVerifyClient demand
pidfile /opt/lcg/var/bdii/slapd.pid
argsfile /opt/lcg/var/bdii/slapd.args
database ldbm
suffix "o=top"
rootdn "o=top"
access to * by * read
directory /opt/lcg/var/bdii/LDAP
Igor Brezac wrote:
On Fri, 7 May 2004, Laurence wrote:
Hi,
I am looking into weather it is possible to do mutual client server
authentication with LDAP using certificates generated from openssl and I
have a few questions.
The server side of things seams fine. What I would like to know is would
it be possible to use a certificate for the client to authenticate
itself with the server.
I have been through the openLDAP documentation and I can't seem to find
any way to configure the client to use certificates. All I can find is
that the client authenticates its self with a dn and password.
If this is possible, some pointers on how to configure the client side
would be most appreciated.
Yes. You want SASL/EXTERNAL. See
http://www.openldap.org/doc/admin22/tls.html for more.