On Thu, 9 Oct 2003, Artur Hecker wrote: > hi kostas > > > yes, that would be a possibility. > > in any case we shouldn't be too strict in the comparison. the example > i'm thinking about, is the following: > > given that the certificates are usually issued to real persons, the CN > could be e.g. "smith". however, with nomadicity he is still "smith" but > he is likely to use something like "[EMAIL PROTECTED]" which is NOT his > CN. i think there are more similar examples in the case of proxying. > perhaps we should also allow the usage of other (critical) certified > fields instead of the CN - the email address is for example a good > choice, since it can directly be used as a fully qualified global user > name - since it is by default unique. > > that's why i am talking about some freely definable handler for > comparison, like a function "boolean compare(string, string)."
I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. > > > ciao > artur > > > Kostas Kalevras wrote: > > > On Thu, 9 Oct 2003, Artur Hecker wrote: > > > > > >>however, it's true that the User-Name content, the certified name AND > >>the EAP-Identity information is not checked for consistency by the > >>server. (EAP-Identity should be equal User-Name - that's the function of > >>the AP, that is something you have a trust with; however, these both > >>compared to the certified name in the certificate could NOT match and > >>the certificate would still be accepted. the question here is: do they > >>have to match as strings or which is the good metrics? perhaps a > >>configurable comparison handler?) > > > > > > One thing we could do (this is what iplanet does for certificate authentication) > > is get the user certificate of the user from ldap and check it with the user > > supplied. If they match then we can be pretty sure we are dealing with the right > > user. This should not be too difficult to do using ldap_xlat. Maybe it would > > require some code changes to ldap_xlat since the usercertificate attribute is > > of binary type, base64 encoded but i think it's doable. > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html