ok, now i get it :-) but with your approach you have to put the user certificate into the server's LDAP (which it doesn't necessarily has), i.e. you have to put all certificates on the server AND on clients. it's a bit more difficult, especially if you don't run any kind of certificate repository.
I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid.
well, you are right.
(however, we have a more complicated thing here, we check locally and then proxy only the authorization, i.e. "is this user still valid" to the remote host. with this, we don't need to proxy complete TLS exchages (quite big auth delay), we do not need CRLs or other central depositories ... and we do not need user certificates in _all_ visited domains... but i suppose, it's not quite usual though perfectly legal.)
But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username...
ok, with the limitations mentioned above. sorry, i didn't get it first. still, i would prefer a more traditional method: why would the server need to have all user certs installed?
it should be quite simple to compare the User-Name to the configured field in the certificate by using regular expressions and similar.
ciao artur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
