On Thu, 9 Oct 2003, Artur Hecker wrote: > i understand, but if you do that, you can't proxy requests anymore.
I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. > > AND: this does not solve the problem of user-name being NOT the same as > certificate. e.g. if you me and i we both have the complete certificate > (you in the LDAP), i could still use some other User-Name thus faking > the accounting. But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... > > > ciao > artur > > > Kostas Kalevras wrote: > > > On Thu, 9 Oct 2003, Artur Hecker wrote: > > > > > >>hi kostas > >> > >> > >>yes, that would be a possibility. > >> > >>in any case we shouldn't be too strict in the comparison. the example > >>i'm thinking about, is the following: > >> > >>given that the certificates are usually issued to real persons, the CN > >>could be e.g. "smith". however, with nomadicity he is still "smith" but > >>he is likely to use something like "[EMAIL PROTECTED]" which is NOT his > >>CN. i think there are more similar examples in the case of proxying. > >>perhaps we should also allow the usage of other (critical) certified > >>fields instead of the CN - the email address is for example a good > >>choice, since it can directly be used as a fully qualified global user > >>name - since it is by default unique. > >> > >>that's why i am talking about some freely definable handler for > >>comparison, like a function "boolean compare(string, string)." > > > > > > I am not talking about checking specific attributes of the certificate but > > rather checking the certificate as a whole. If the certificate was issued to > > user jim then the usercertificate;binary in ldap and the certificate passed > > through eap should be exactly the same. > > > > > >> > >>ciao > >>artur > >> > >> > >>Kostas Kalevras wrote: > >> > >> > >>>On Thu, 9 Oct 2003, Artur Hecker wrote: > >>> > >>> > >>> > >>>>however, it's true that the User-Name content, the certified name AND > >>>>the EAP-Identity information is not checked for consistency by the > >>>>server. (EAP-Identity should be equal User-Name - that's the function of > >>>>the AP, that is something you have a trust with; however, these both > >>>>compared to the certified name in the certificate could NOT match and > >>>>the certificate would still be accepted. the question here is: do they > >>>>have to match as strings or which is the good metrics? perhaps a > >>>>configurable comparison handler?) > >>> > >>> > >>>One thing we could do (this is what iplanet does for certificate authentication) > >>>is get the user certificate of the user from ldap and check it with the user > >>>supplied. If they match then we can be pretty sure we are dealing with the right > >>>user. This should not be too difficult to do using ldap_xlat. Maybe it would > >>>require some code changes to ldap_xlat since the usercertificate attribute is > >>>of binary type, base64 encoded but i think it's doable. > >>> > >>>-- > >>>Kostas Kalevras Network Operations Center > >>>[EMAIL PROTECTED] National Technical University of Athens, Greece > >>>Work Phone: +30 210 7721861 > >>>'Go back to the shadow' Gandalf > >>> > >>>- > >>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > >> > >>- > >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
