AND: this does not solve the problem of user-name being NOT the same as certificate. e.g. if you me and i we both have the complete certificate (you in the LDAP), i could still use some other User-Name thus faking the accounting.
ciao artur
Kostas Kalevras wrote:
On Thu, 9 Oct 2003, Artur Hecker wrote:
hi kostas
yes, that would be a possibility.
in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following:
given that the certificates are usually issued to real persons, the CN could be e.g. "smith". however, with nomadicity he is still "smith" but he is likely to use something like "[EMAIL PROTECTED]" which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique.
that's why i am talking about some freely definable handler for comparison, like a function "boolean compare(string, string)."
I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same.
ciao artur
Kostas Kalevras wrote:
On Thu, 9 Oct 2003, Artur Hecker wrote:
however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?)
One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable.
-- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
