[Date Prev][Date Next] [Chronological] [Thread] [Top]

Restrict client access by certificates



Hi,

I have a strange problem with certificates. I would like to have my ldap server working through certificates and allow recognized clients to read the ldap information. The scenario is:

- ldap server/client (opsids01)
- client (bscsi07)

In my test environment, I have created my own CA who has sign the server and the client certificates. Unfortunately the certificates are not still working as desired. I would like to allow only opsids01 to read the ldap information. However, I still can retrieve the information from 'opsids01' and 'bscsi07'. It doesn't seem to restrict clients access by certificates.

slapd.conf:
------------------
access to *
      by dn="cn=admin,dc=bsc,dc=es" write
      by dn="cn=allowed host,dc=bsc,dc=es" read
      by * none

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile path_to_servercrt.pem
TLSCertificateKeyFile path_to_serverkey.pem
TLSCACertificateFile path_to_cacert.pem
TLSVerifyClient demand

sasl-regexp CN=opsids01.bsc.es "cn=allowed host,dc=bsc,dc=es"

client-server: ~/.ldaprc
----------
TLS_CACERT /path_to_cacert.pem
TLS_CERT /path_to_servercrt.pem
TLS_KEY /path_to_serverkey.pem

Using a command like: ldapsearch -x -H ldaps://opsids01.bsc.es -b 'dc=bsc,dc=es' '(objectclass=*)'

the client-server is able to retrieve information from the ldap server. According the slapd.conf file, this client should be the only one allow to get this information. However, the other client, bscsi07.bsc.es, still can get results from a ldapsearch query. This other client has a different CN so it shouldn't be authorize to retrieve anything. Could someone help me on this?

Thanks a lot,
Xavi




--
Xavier Fustero Benavent
Barcelona Supercomputing Center - Centro Nacional de Supercomputación (BSC-CNS)
Tel: +34 9341 37718 / Fax: +34 9341 37721