S. Wefel
2007-Aug-30 13:08 UTC
[Dovecot] Using NID_x500UniqueIdentifier as ssl_username_from_cert
Hi, please have a look at the attached patch for dovecot-1.0.3 These patch modifies ssl_proxy_get_peer_name() to use the NID_x500UniqueIdentifier as username instead of NID_commonName. The reason is, that the Common Name doesn't have to be unique for the whole mailserver. Example; in germany a lot of people got the first name "Andreas" and the last name "Schulz". Therefore a lot of certificates exists with subjects like this: C=DE,O=ABC,CN=Andreas Schulz/emailAddress=andreas.schulz at abc.de C=DE,O=DEF,CN=Andreas Schulz/emailAddress=andreas.schulz at def.de ... dovecot couldn't distinguish between these users. So we decide to use certificates with an X509v3 extension NID_x500UniqueIdentifier which allows to extend the subject by an unique ID, e.g. the unix-uid or a database unique key. The new certificates may look like this: C=DE,O=ABC,CN=Andreas Schulz/emailAddress=andreas.schulz at abc.de/x500UniqueIdentifier=user1 C=DE,O=DEF,CN=Andreas Schulz/emailAddress=andreas.schulz at def.de/x500UniqueIdentifier=user2 With the attached patch the user is taken from this extension and e.g. with userdb=ldap you can use the filter string user_filter = (&(objectClass=posixAccount)(uid=%u)) A good solution to use booth, the common name and the UniqueIdentifier is to extend settings like ssl_username_from_cert = no | yes | cn | uid where "yes" is similar to "cn". Regards, Sandro Wefel -------------- next part -------------- A non-text attachment was scrubbed... Name: NID_x500UniqueIdentifier.diff Type: text/x-patch Size: 696 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20070830/d181d7db/attachment-0002.bin>
Timo Sirainen
2007-Sep-09 02:55 UTC
[Dovecot] Using NID_x500UniqueIdentifier as ssl_username_from_cert
On Thu, 2007-08-30 at 15:08 +0200, S. Wefel wrote:> please have a look at the attached patch for > dovecot-1.0.3 > These patch modifies ssl_proxy_get_peer_name() > to use the NID_x500UniqueIdentifier as username > instead of NID_commonName.I won't add new features to v1.0 (and especially not break existing setups :), but I implemented this to v1.1 now: http://hg.dovecot.org/dovecot/rev/7ad61f00ee55 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070909/3d4d8f08/attachment-0002.bin>
Reasonably Related Threads
- AUTH_USER variable has invalid value in checkpassword Script
- 1.0rc26: ssl_verify_client=yes ?
- ssl-proxy: client certificates and crl check
- [Bug 1322] New: pam_end() is not called if authentication fails, which breaks pam-abl
- SSL Client authentication with trustcenter-certificate