[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
Looks promising. For instance the function PK11_FindKeyByDERCert in
tls_m.c . I will try it with this one.
Am 24.06.2013 18:26, schrieb Michael Ströder:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11
URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the
ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM
encoded file (see function tlsg_ctx_init in tls_g.c) and a connection
initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look
up the pkcs#11 store for the client key as well as the client certificate to
establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss
(--with-tls=moznss). Never tried that myself though.
Ciao, Michael.
--
Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
Geschäftsführung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949