On Thu, 9 Oct 2003, Artur Hecker wrote: > however, it's true that the User-Name content, the certified name AND > the EAP-Identity information is not checked for consistency by the > server. (EAP-Identity should be equal User-Name - that's the function of > the AP, that is something you have a trust with; however, these both > compared to the certified name in the certificate could NOT match and > the certificate would still be accepted. the question here is: do they > have to match as strings or which is the good metrics? perhaps a > configurable comparison handler?)
One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html