> The point of a certificate-based authentication system is not to have to > implement authentication rules for each and every individual user. An LDAP > server should only trust certificates issued by a single CA; that CA should > only > be issuing certs to valid users. Ideally, the LDAP server should be the CA, > which is what slapo-autoca is designed for.
Any peer in a TLS session that does validation seems to have three things to validate: 1. the x.509 subject name matching the name as known or claimed by the peer 2. the signing authority 3. the validity date Are we saying that the LDAP server should only care about #2?
