Re: SASL EXTERNAL and client certificates

[Adam Pordzik <adresseverbummelt@gmx.de>]

Kurt D. Zeilenga wrote:
> At 08:16 AM 5/1/2006, Adam Pordzik wrote:
> > Moin,
> >
> > Recently, I played with client cerfificated and SASL EXTERNAL mechanism.
> > There are some questions left:
> >
> > AUTHENTICATION/AUTRORIZATION
> >
> > I can authencticate with any certificate issued by a trusted CA found
> > c_rehashed in /etc/ssl/certs.
>
> Yes.
>
> > (O'SSL compiled-in certs directory AND
> > slapd's TLSCACertificatePath here) Does this implies, that anybody with
> > a valid certificate e.g. issued by some public CA like Thwate or Verisign
> > is authorized as "users" in ACL terms?
>
> If those CAs are "trusted" (see first question), yes.
>
> > Is only TLSCACertificatePath checked or OpenSSL's default directory also?
>
> Former.
>
> [...]
>
> Use of TLS+EXTERNAL is limited to valid certificates issued
> by a trusted CA.  Limit your trust in CAs to limit user
> certificates.

Hmm. When I place e.g a selfsigned.cer in /etc/ssl/certs (which is not
TLSCACertificatePath) on slapd's host, it will be taken for authenti=
cation and authorizaition.
Same for a (Sub-)CA, I can use for signing my own certificates, below
and alongside slapd's host cert-chain, allowed me issuing a client
certificate for e.g.

cn=Manager,dc=my,dc=dom

and it's use from any host for EXTERNAL authorization. I think this is
at least a little risky without a proper rewriting rule. (Only tested
with certificates which only extensions are non-critical basicConstraints
with CA:true/false and no pathlen)


Regards,

A

--