Armin Wenz writes: > is it possible to authenticate a user not by password but by > userCertificate with version 2.3.x?
No. However you can authenticate with certificates: The client can send the certificate during TLS/SSL negotiaton, and afterward use Bind:SASL/EXTERNAL to authenticate as the DN in that certificate. Configure the server to verify client certificates with TLSVerifyClient, TLSCACertificateFile, maybe TLSCRLCheck. Or TLSCACertificatePath instead of ...File; if so set up that directory with some magic OpenSSL command. Don't remember which one. You may need to rewrite DNs from your certificates to the naming structure of DNs in your directory with 'authz-regex' or 'sasl-regexp'. On the other hand, with different names you can tell in access statements which DNs come from certificates and which come from Simple Bind etc. Finally, the server will not necessarily require the DN in the certificate to exist in the directory. Haven't checked how OpenLDAP behaves about that. If it doesn't, I suppose you could use access ... by set ... to look up the 'user' entry and verify that it exists, see http://www.openldap.org/faq/data/cache/1133.html -- Hallvard
