On Thu, 9 Oct 2003, Artur Hecker wrote: > hi kostas > > > ok, now i get it :-) but with your approach you have to put the user > certificate into the server's LDAP (which it doesn't necessarily has), > i.e. you have to put all certificates on the server AND on clients. it's > a bit more difficult, especially if you don't run any kind of > certificate repository. > > > > I don't need to authenticate requests that i am just proxying. > > The certificate check will be after checking that the certificate is valid. > > well, you are right. > > (however, we have a more complicated thing here, we check locally and > then proxy only the authorization, i.e. "is this user still valid" to > the remote host. with this, we don't need to proxy complete TLS exchages > (quite big auth delay), we do not need CRLs or other central > depositories ... and we do not need user certificates in _all_ visited > domains... but i suppose, it's not quite usual though perfectly legal.) > > > > But i use the username in the access-request to find the certificate in ldap. So > > you can't use a fake username... > > ok, with the limitations mentioned above. sorry, i didn't get it first. > still, i would prefer a more traditional method: why would the server > need to have all user certs installed? > > it should be quite simple to compare the User-Name to the configured > field in the certificate by using regular expressions and similar.
Sure. Both could be just configurable options. If you maintain a CA and an ldap to store user certificates you can enable certificate verification. If not you can just do a regex on the certificate attributes and verify it that way. The only thing left now, is for someone to write these checks :-) > > > ciao > artur > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
