On 1 Nov 2014, at 12:41, Graham Leggett <[email protected]> wrote:
>
> The use case this solves is that I want to uniquely identify a certificate
> and store that identity in an LDAP directory. The most obvious solution -
> just store the cert in the userCertificate attribute and do a direct binary
> match - doesn’t work in most directories, as direct certificate matching was
> forgotten in the specs that were involved (unfortunately).
What's stopping this from working? RFC 4523 calls for the userCertificate to
contain a DER-encoded version of the user's certificate.
The approach I have in mind is to have the directory searchable by issuer DN
and serial number, with a subsequent comparison of the certificate retrieved by
LDAP (DER+base64) against SSL_CLIENT_CERT.
I speculate that this could look like:
Require expr %{SSL_CLIENT_CERT} -x509certeq
%{LDAP_ATTRIBUTE_USERCERTIFICATE}
--
Tim Bannister – [email protected]
