[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL with a smartcard



At 01:56 AM 2/17/2006, François Beretti wrote:
>I know that this is quite off topic, but I am wondering how to use
>SASL/EXTERNAL authentication with a certificate stored on a smartcard.
>
>For me it is not under the entire responsibility of the ssl library,
>since the LDAP library provide the certificate file, using the
>ldap.conf rules. When using a smartcard, you don't use a certificate
>file, since everything is in the smartcard, and not in the filesystem.
>So it seems that the LDAP library is uncompatible with smartcard TLS
>authentication.
>
>Am I wrong ?
>Does someone have any link toward a way to achieve this ?

In our external I-D management for SASL, we merely ask TLS
if there is a user certificate.  We don't care whether it
came from a file or not.

Now, TLS needs access to the user certificate and generally
relies on calling routines to provide the certificate
location via a file name.  We do this through ldap.conf(5)
mechanisms.  If TLS exposes another interface for providing
user certificates, OpenLDAP could certainly be extended
to support that interface.   In which case, feel free
to code something up and/or file an ITS for a feature
enhancement.

Kurt