Sean Gallagher wrote: > On 26/06/2023 7:40 pm, Howard Chu wrote: >> That feature is already available using TLSVerifyClient in the slapd config. > > Not really. Using the TLSVerifyClient mechanism could be made to work and > would be a nice solution but it isn't there yet. To make this this work, you > would > need to pass to libldap, some type of specification of the names of > legitimate clients. Then in the tls_o.c:tlso_verify_cb() function, compare > the name on the > client cert with the specification and return the pass/fail status back to > the TLS layer. Then it would all "just work". > > The average user might be surprised to learn that TLSVerifyClient does not > currently involve checking the client's name. You would intuitively think > that was > pretty important.
The point of a certificate-based authentication system is not to have to implement authentication rules for each and every individual user. An LDAP server should only trust certificates issued by a single CA; that CA should only be issuing certs to valid users. Ideally, the LDAP server should be the CA, which is what slapo-autoca is designed for. An LDAP server is not a web server or a client. There is no reason for it to trust certs from multiple CAs. > >> Pure nonsense. > > Pure hubris. > > It's sad when it takes a disaster to affect real change. Pure ignorance. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
