[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ssl client certs



Brent Bice wrote:
>    So, was I right in trying to use ~/.ldaprc to try to force ldapsearch (for
> instance) to use a cert for authentication?  Running a sniffer and looking at
> the traffic, it doesn't look like ldapsearch is ever doing anything beyond an
> anonymous bind unless I specify -D and -W in which case it's binding and
> authenticating as normal rather than using a cert.

Use command-line option -Y EXTERNAL to make the tools send SASL/EXTERNAL bind
as said before. Otherwise at LDAP level only simple bind or even anon bind
gets used even if you used client cert at TLS level.

Then in your slapd.conf something like this:

# Cert-based authc-DN
authz-regexp
  "(.+)"
  "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"

Then you have to store the client cert's subject DN in attribute 'seeAlso' in
LDAP DN string representation (openssl x509 -nameopt rfc2253).

> I think the notion of using a client cert as a 2nd factor will get dropped

Again:
The 2nd factor depends on whether you have smartcards at the client side or not.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature