[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Restrict client access by certificates
Hi,
I have a strange problem with certificates. I would like to have my ldap
server working through certificates and allow recognized clients to read
the ldap information. The scenario is:
- ldap server/client (opsids01)
- client (bscsi07)
In my test environment, I have created my own CA who has sign the server
and the client certificates. Unfortunately the certificates are not
still working as desired. I would like to allow only opsids01 to read
the ldap information. However, I still can retrieve the information from
'opsids01' and 'bscsi07'. It doesn't seem to restrict clients access by
certificates.
slapd.conf:
------------------
access to *
by dn="cn=admin,dc=bsc,dc=es" write
by dn="cn=allowed host,dc=bsc,dc=es" read
by * none
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile path_to_servercrt.pem
TLSCertificateKeyFile path_to_serverkey.pem
TLSCACertificateFile path_to_cacert.pem
TLSVerifyClient demand
sasl-regexp CN=opsids01.bsc.es "cn=allowed host,dc=bsc,dc=es"
client-server: ~/.ldaprc
----------
TLS_CACERT /path_to_cacert.pem
TLS_CERT /path_to_servercrt.pem
TLS_KEY /path_to_serverkey.pem
Using a command like: ldapsearch -x -H ldaps://opsids01.bsc.es -b
'dc=bsc,dc=es' '(objectclass=*)'
the client-server is able to retrieve information from the ldap server.
According the slapd.conf file, this client should be the only one allow
to get this information. However, the other client, bscsi07.bsc.es,
still can get results from a ldapsearch query. This other client has a
different CN so it shouldn't be authorize to retrieve anything. Could
someone help me on this?
Thanks a lot,
Xavi
--
Xavier Fustero Benavent
Barcelona Supercomputing Center -
Centro Nacional de Supercomputación (BSC-CNS)
Tel: +34 9341 37718 / Fax: +34 9341 37721