[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule match if client certificate was used?



On 2012-06-05 13:42, Patrick Hemmer wrote:
> Is there any way to create an ACL rule which will match if a client
> certificate was used on the connection or not?
> I'd like to do an ACL such as
> 
> to attrs=userPassword
> by peername.ip="1.2.3.0%255.255.255.0" auth
> by client_ssf="64" auth
> 
> Also set olcTLSVerifyClient=try
> 
> This will let our internal network authenticate against ldap without
> needing a client cert, but anyone outside our internal network must have
> one. We would then use our own CA to create certificates for all the
> clients and tell OpenLDAP to trust only that CA.
> Obviously client_ssf doesnt exist, but is there another way of
> accomplishing this goal?

I wrote a proof of concept dynacl that essentially does this. The ACL
looked something like:

access to attrs=userPassword
    by dynacl/clientAuth auth

All the dynacl does is determine if there is an authid in the SASL
context. If so, a client certificate was used and access can be granted.

Examples of dynacls can be found in contrib/slapd-modules/acl.