[Fedora-directory-users] Re:Certificate authentication with SASL External
Richard Megginson
rmeggins at redhat.com
Wed Feb 8 03:04:13 UTC 2006
Howard Chu wrote:
>>
>> From: David Boreham <david_list at boreham.org>
>>
>>
>>> > Remember that authentication is not the same as authorization -
>>> having > the valid certificate just proves who you are to the
>>> server; the > server doesn't have to accord you any
>>> privileges/authorization just > because of that.
>>
>>
>> Correct, but the OP _wanted_ to make an authorization decision for
>> this identity, not just perform authentication.
>>
>
>
> Yes, I'm sure eventually the OP would want to make an authorization
> decision, but their complaint showed that they weren't even able to
> get past authentication. The fact that FDS doesn't support distributed
> authentication makes the authorization question a bit moot.
FDS does support certain types of distributed authentication - Kerberos
(via GSSAPI) and pass through authentication. You can also pass
authentication through to PAM.
>
>> I think what he wants is to be able to use the subject DN in the
>> client's cert
>> directly as the bind identity for access control purposes. This isn't
>> supported.
>> Not because the original developers missed some grand X.500 vision,
>> but because
>> nobody needed to do that (and haven't for 10 years, until now...).
>
>
> Personal experience tells me that many people have needed distributed
> authentication in the past 10 years, and it's been used extensively in
> OpenLDAP for the past 6 or so. The folks who designed LDAP plainly
> didn't consider it, just as they didn't consider the majority of the
> implications of true distributed operation.
>
Ok. So, how exactly does OpenLDAP support this? saslauthd?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060207/3ca84392/attachment.bin>
More information about the Fedora-directory-users
mailing list