Quanah Gibson-Mount wrote:
--On Monday, November 04, 2013 8:54 AM +0100 Ulrich Windl
ulrich.wi...@rz.uni-regensburg.de wrote:
Sorry, but if you insist on that, you didn't understand the concept: Any
certificate signed (transitively) by a root CA is valid. There are no
distinctions between
Michael Strödermich...@stroeder.com schrieb am 01.11.2013 um 19:26 in
Nachricht 5273f248.4030...@stroeder.com:
Howard Chu wrote:
Michael Ströder wrote:
BTW:
In case of client certs the cert's subject-DN is the authc-DN which can
be
directly used in authz-regexp which very much ties the
Ulrich Windl wrote:
Michael Strödermich...@stroeder.com schrieb am 01.11.2013 um 19:26 in
Unfortunately it's not that easy:
Consider a (somewhat broken) official CA, which you definitely cannot
avoid
or fix and which issues client certs with non-unique subject-DNs. In this
case
one has
--On Monday, November 04, 2013 8:54 AM +0100 Ulrich Windl
ulrich.wi...@rz.uni-regensburg.de wrote:
Sorry, but if you insist on that, you didn't understand the concept: Any
certificate signed (transitively) by a root CA is valid. There are no
distinctions between more or less valid
Howard Chu h...@symas.com schrieb am 01.11.2013 um 19:12 in Nachricht
5273ef18.3070...@symas.com:
Michael Ströder wrote:
Howard Chu wrote:
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd
form
of authentication with OpenLDAP and didn't know for sure. Is
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
Just to see if I could make any form of client cert authentication
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form of
authentication with OpenLDAP and didn't know for sure. Is it possible to have
OpenLDAP require both a DN/password pair *and* a client ssl cert?
Regarding client certs you have two options:
1. Let the
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
You can make the server require a client cert, but it
Howard Chu wrote:
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
You can make the server require a
Michael Ströder wrote:
Howard Chu wrote:
Brent Bice wrote:
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
You can
Howard Chu wrote:
Michael Ströder wrote:
BTW:
In case of client certs the cert's subject-DN is the authc-DN which can be
directly used in authz-regexp which very much ties the mapping to subject-DN
conventions of the PKI.
But in some cases it would be very handy to map a distinct client
On 11/01/2013 12:12 PM, Howard Chu wrote:
I would reject such an ITS. Cert-pinning is an issue for clients that
have a very large collection of trusted CAs. The Admin Guide clearly
states that servers should only trust a single CA - the CA that signed
its own certs and the certs of its clients.
Brent Bice wrote:
So, was I right in trying to use ~/.ldaprc to try to force ldapsearch (for
instance) to use a cert for authentication? Running a sniffer and looking at
the traffic, it doesn't look like ldapsearch is ever doing anything beyond an
anonymous bind unless I specify -D and -W
13 matches
Mail list logo
