[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Fedora-directory-users] Re:Certificate authentication with SASL External

From: Rob Crittenden <rcritten redhat com>

Yann wrote:
Thanks Richard,

but this howto explain how to to match DN certificate to LDAP entry... my
problem is; i don't want to have a corresponding entry in LDAP directory...

I want to be identify only by the DN in the certificate, and match some ACL..
that all. No need to have an entry in the LDAP.

If it's possible in DS...

So you want to bind to the directory server with a valid client certificate for a user that doesn't exist? For what purpose?

There is no reason to assume any connection between SASL identities and LDAP directory entries. Moreover, in a true distributed directory system, there's no reason to assume that an entry for a valid user is present on every DSA in the system. Of course, the folks who developed LDAP didn't understand this essential bit of X.500, so it's no surprise that you're unfamiliar with distributed authentication. Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn't have to accord you any privileges/authorization just because of that.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]