>>> Howard Chu <[email protected]> schrieb am 01.11.2013 um 19:12 in Nachricht <[email protected]>: > Michael Ströder wrote: >> Howard Chu wrote: >>> Brent Bice wrote: >>>> I was recently asked if we could use ssl client certs as a 2nd form >>>> of authentication with OpenLDAP and didn't know for sure. Is it >>>> possible to have OpenLDAP require both a DN/password pair *and* a client >>>> ssl cert? >>> >>> You can make the server require a client cert, but it won't use the >>> certificate identity for anything unless you Bind with SASL/EXTERNAL. >>> >>> http://www.openldap.org/doc/admin24/sasl.html#EXTERNAL >>> >>> And naturally, if you're using SASL, then the DN/password pair is ignored. >> >> BTW: >> >> In case of client certs the cert's subject-DN is the authc-DN which can be >> directly used in authz-regexp which very much ties the mapping to subject-DN >> conventions of the PKI. >> >> But in some cases it would be very handy to map a distinct client cert to a >> authz-DN by issuer-DN/serial or even by fingerprint. One use-case is cert >> pinning of client certs and revocation checking done off-line. >> >> Should I file an ITS for that? > > I would reject such an ITS. Cert-pinning is an issue for clients that have a
> > very large collection of trusted CAs. The Admin Guide clearly states that > servers should only trust a single CA - the CA that signed its own certs and Sorry, but if you insist on that, you didn't understand the concept: Any certificate signed (transitively) by a root CA is valid. There are no distinctions between more or less valid certificates; they are either valid or invalid. Even if you talk about a single CA, what do you mean? A name of a CA, or one specific certificate of a CA? Over time one CA may have more than one certificate. Please don't set up arbitrary restrictions or recommendations! Regards, Ulrich > > the certs of its clients. In that case, no one else can issue a valid cert > with the same subjectDN. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/
