Re: [courier-users] Certificate login

Fri, 16 Nov 2007 10:09:23 -0800 

Thanks for your answers.

On Nov 16, 2007 1:21 PM, Enda <[EMAIL PROTECTED]> wrote:

> On Nov 16, 2007 11:51 AM, Fernando Iglesias wrote:
> > Ok, I'll try to introduce my idea. I've a x509 cert, the field CN is a
> > user
> > name that exists into LDAP server, I can extract this CN from cert using
> > Apache SSL, then a php program take this username and try to login into
> > courier imap using courier authlib and a LDAP server, but  a password is
> > needed.
>
> Yes, password is needed as it secures the account.
>
> > So my idea was, "can i use this cert to authenticate user directly?". If
> I
> > store x509 certs in LDAP, can I configure authlib to authenticate
> against
> > the pair (user name,x509 cert).
>
> You might as well remove the passwords altogether since what you are
> proposing is equivalent to authenticating with (user name,public cleartext
> password). The x.509 cert is not secure and does not provide security, it
> is
> a public document containing information which can be used to verify data
> signed / encrypted with its associated private key. You've lost all that
> in
> your scheme.
>
> Try storing cleartext passwords in LDAP, ditch the x.509 certs, use ldap
> acl's to secure the ldap password fields and retrieve the password instead
> of an x.509 cert. Its essentially the same process except it removes the
> illusion of security around your password, and thats all you've got is an
> illusion, no security.
>
>  -Enda.
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> courier-users mailing list
> [email protected]
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>



-- 
I should have known better
Than to let you go alone
It's times like these
I can't make it on my own
Wasted days, and sleepless nights
An' I can't wait to see you again

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to