[Fedora-directory-users] Re:Certificate authentication with SASL External

[Richard Megginson]

Howard Chu wrote:

>>
>> From: David Boreham <david_list at boreham.org>
>>  
>>
>>> > Remember that authentication is not the same as authorization - 
>>> having > the valid certificate just proves who you are to the 
>>> server; the > server doesn't have to accord you any 
>>> privileges/authorization just > because of that.     
>>
>>
>> Correct, but the OP _wanted_ to make an authorization decision for 
>> this identity, not just perform authentication.
>>   
>
>
> Yes, I'm sure eventually the OP would want to make an authorization 
> decision, but their complaint showed that they weren't even able to 
> get past authentication. The fact that FDS doesn't support distributed 
> authentication makes the authorization question a bit moot.

FDS does support certain types of distributed authentication - Kerberos 
(via GSSAPI) and pass through authentication.  You can also pass 
authentication through to PAM.

>
>> I think what he wants is to be able to use the subject DN in the 
>> client's cert
>> directly as the bind identity for access control purposes. This isn't 
>> supported.
>> Not because the original developers missed some grand X.500 vision, 
>> but because
>> nobody needed to do that (and haven't for 10 years, until now...).
>
>
> Personal experience tells me that many people have needed distributed 
> authentication in the past 10 years, and it's been used extensively in 
> OpenLDAP for the past 6 or so. The folks who designed LDAP plainly 
> didn't consider it, just as they didn't consider the majority of the 
> implications of true distributed operation.
>
Ok.  So, how exactly does OpenLDAP support this? saslauthd?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060207/3ca84392/attachment.bin>