Jeffrey Altman wrote:
> How are you mapping a client cert to a local Unix account name?
>
> Are you using a field within the cert? If so, which one(s)? Are
> different fields used for different services?
>
> Or are you using some form of Certificate MApping Service which takes
> a validated cert as input and returns a local account name? If so,
> how are you implementing this service?
I've had this problem as well -- as far as I can see there is no good
answer. If you use a special field, you run into problems with CAs
that won't add them. Also it is not the way certificates are
"supposed" to be used: they are meant to be evidence of identity and
not evidence of the right to use a particular machine.
One approach would be to use the email field. If you have email
addresses of the form id@firm, this is essentially giving you what you
need. You want to make sure that the firm is yours, and then allow
the person to log on with that id.
Another approach might be to use the certificate's DN to look up the
user in an LDAP/X.500 database. You then get the user ID out of that.
Dennis Glatting wrote:
> I remember reading a standard on mapping X.400 to SMTP. Maybe that'll
> help. Try the RFC repositories.
The document in question is RFC 2156. It doesn't help a great deal --
it just describes a way to represent X.400 DNs as RFC 822 addresses.
For example
C=GB; PRMD=foo; O=bar; S=baz
would become something like:
"/C=GB/PRMD=foo/O=bar/S=baz"@x400-relay.wibble.com
----------------------------------------------------------------------
phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post:
Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
