Re: ACL rule match if client certificate was used?

[Patrick Hemmer <openldap@stormcloud9.net>]

Sent: Tue Jun 05 2012 17:39:03 GMT-0400 (EDT)
From: David Hawes <dhawes@vt.edu>
To: openldap-technical@openldap.org openldap-technical@openldap.org
Subject: Re: ACL rule match if client certificate was used?

On 2012-06-05 13:42, Patrick Hemmer wrote:

Is there any way to create an ACL rule which will match if a client
certificate was used on the connection or not?
I'd like to do an ACL such as

to attrs=userPassword
by peername.ip="1.2.3.0%255.255.255.0" auth
by client_ssf="64" auth

Also set olcTLSVerifyClient=try

This will let our internal network authenticate against ldap without
needing a client cert, but anyone outside our internal network must have
one. We would then use our own CA to create certificates for all the
clients and tell OpenLDAP to trust only that CA.
Obviously client_ssf doesnt exist, but is there another way of
accomplishing this goal?

I wrote a proof of concept dynacl that essentially does this. The ACL
looked something like:

access to attrs=userPassword
    by dynacl/clientAuth auth

All the dynacl does is determine if there is an authid in the SASL
context. If so, a client certificate was used and access can be granted.

Examples of dynacls can be found in contrib/slapd-modules/acl.

Hrm, this sounds promising. I'll take a look down this route.

Thanks :-)

-Patrick