Howard Chu
2006-Feb-07 20:02 UTC
[Fedora-directory-users] Re:Certificate authentication with SASL External
> From: Rob Crittenden <rcritten@redhat.com> > > Yann wrote: > >> Thanks Richard, >> >> but this howto explain how to to match DN certificate to LDAP entry... my >> problem is; i don''t want to have a corresponding entry in LDAP directory... >> >> I want to be identify only by the DN in the certificate, and match some ACL.. >> that all. No need to have an entry in the LDAP. >> >> If it''s possible in DS... >> > > So you want to bind to the directory server with a valid client > certificate for a user that doesn''t exist? For what purpose? >There is no reason to assume any connection between SASL identities and LDAP directory entries. Moreover, in a true distributed directory system, there''s no reason to assume that an entry for a valid user is present on every DSA in the system. Of course, the folks who developed LDAP didn''t understand this essential bit of X.500, so it''s no surprise that you''re unfamiliar with distributed authentication. Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn''t have to accord you any privileges/authorization just because of that. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
David Boreham
2006-Feb-07 23:34 UTC
Re: [Fedora-directory-users] Re:Certificate authentication with SASL External
> Remember that authentication is not the same as authorization - having > the valid certificate just proves who you are to the server; the > server doesn''t have to accord you any privileges/authorization just > because of that.Correct, but the OP _wanted_ to make an authorization decision for this identity, not just perform authentication. I think what he wants is to be able to use the subject DN in the client''s cert directly as the bind identity for access control purposes. This isn''t supported. Not because the original developers missed some grand X.500 vision, but because nobody needed to do that (and haven''t for 10 years, until now...).