[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Client - Server Authentication Using Certificates

To: Igor Brezac <igor@ipass.net>
Subject: Re: Client - Server Authentication Using Certificates
From: Laurence <Laurence.Field@cern.ch>
Date: Mon, 10 May 2004 18:43:53 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.GSO.4.58.0405071312380.2467@pula.ypass.net>
Keywords: CERN SpamKiller Note: -51 Charset: west-latin
References: <409BBAF5.40005@cern.ch> <Pine.GSO.4.58.0405071312380.2467@pula.ypass.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Hi,

Thanks for your reply, that was exactly what I needed!

I have spent today trying to implement this and have come across two small problems and hence questions.

Please note that I have substituted my actual hostname for host.invalid.

The first problem is with my certificate. Due to the computing policy we have here, the CN in the subject of the certificate is CN=host/host.invalid and hence when I try to do the ldapsearch I obtain the following error message.

TLS: hostname (host.invalid) does not match common name in certificate (host/host.invalid).

The first question would be, is it possible to "tune" this with the ldap configuration or does it make an assumption that the name on the certificate has to be the same as the hostname.

To get past this problem I created my own CA and created a certificate with CN=host.invalid.

This seamed to get me a little further but it failed with the following error.

ldap_interactive_sasl_bind_s: server supports: PLAIN LOGIN
ldap_int_sasl_bind: PLAIN LOGIN
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method

So I guess that there is still something wrong with the configuration but even after reading chapter 10 and 11 of the admins guide I can't work out what needs to be done. What I am trying to do is give the ldap database global read access but only letting the client with a certain certificate write data.

So my second questions is what do I need to add to the configuration to enable this to be done. I have append the relevant lines from the configuration files to the end of this mail.

Thanks for you help.

Laurence

ldap.conf

TLS_CACERT /etc/grid-security/certificates/fa3af1d7.0
TLS_CERT /etc/grid-security/hostcert.pem
TLS_KEY /etc/grid-security/hostkey.pem


slapd.conf

TLSCACertificateFile /etc/grid-security/certificates/fa3af1d7.0
TLSCertificateFile /etc/grid-security/hostcert.pem
TLSCertificateKeyFile /etc/grid-security/hostkey.pem
TLSVerifyClient demand

pidfile  /opt/lcg/var/bdii/slapd.pid
argsfile  /opt/lcg/var/bdii/slapd.args

database  ldbm
suffix  "o=top"
rootdn  "o=top"
access to * by * read
directory /opt/lcg/var/bdii/LDAP

Igor Brezac wrote:

On Fri, 7 May 2004, Laurence wrote:

Hi,

I am looking into weather it is possible to do mutual client server
authentication with LDAP using certificates generated from openssl and I
have a few questions.

The server side of things seams fine. What I would like to know is would
it be possible to use a certificate for the client to authenticate
itself with the server.
I have been through the openLDAP documentation and I can't seem to find
any way to configure the client to use certificates. All I can find is
that the client authenticates its self with a dn and password.

If this is possible, some pointers on how to configure the client side would be most appreciated.


Yes.  You want SASL/EXTERNAL.  See
http://www.openldap.org/doc/admin22/tls.html for more.

Follow-Ups:
- Re: Client - Server Authentication Using Certificates
  - From: Igor Brezac <igor@ipass.net>
- Re: Client - Server Authentication Using Certificates
  - From: Donn Cave <donn@u.washington.edu>

References:
- Client - Server Authentication Using Certificates
  - From: Laurence <Laurence.Field@cern.ch>
- Re: Client - Server Authentication Using Certificates
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: Re: OpenLDAP slapd replication
Next by Date: Re: OpenLDAP slapd replication
Index(es):
- Chronological
- Thread