On Nov 16, 2007 11:51 AM, Fernando Iglesias wrote: > Ok, I'll try to introduce my idea. I've a x509 cert, the field CN is a > user > name that exists into LDAP server, I can extract this CN from cert using > Apache SSL, then a php program take this username and try to login into > courier imap using courier authlib and a LDAP server, but a password is > needed.
Yes, password is needed as it secures the account. > So my idea was, "can i use this cert to authenticate user directly?". If I > store x509 certs in LDAP, can I configure authlib to authenticate against > the pair (user name,x509 cert). You might as well remove the passwords altogether since what you are proposing is equivalent to authenticating with (user name,public cleartext password). The x.509 cert is not secure and does not provide security, it is a public document containing information which can be used to verify data signed / encrypted with its associated private key. You've lost all that in your scheme. Try storing cleartext passwords in LDAP, ditch the x.509 certs, use ldap acl's to secure the ldap password fields and retrieve the password instead of an x.509 cert. Its essentially the same process except it removes the illusion of security around your password, and thats all you've got is an illusion, no security. -Enda. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
