[Fedora-directory-users] Certificate authentication with SASL External
Yann
clonay at free.fr
Fri Feb 10 17:23:30 UTC 2006
>>Remember that authentication is not the same as authorization - having the
valid certificate just proves who you are to the server; the server doesn't
have to accord you any privileges/authorization just because of that.
>>
>>Correct, but the OP _wanted_ to make an authorization decision for this
identity, not just perform authentication.
>>I think what he wants is to be able to use the subject DN in the client's cert
directly as the bind identity for access control purposes. This isn't
supported. >>Not because the original developers missed some grand X.500
vision, but because
>>nobody needed to do that (and haven't for 10 years, until now...).
Yes David, it's exactly what i want to do...
So, it's not supported in FD :-(
I tried to find another way to do that; ex: when i bind with a certificate with
no match entry in the LDAP directory, FDS say:
[10/Feb/2006:17:14:11 +0000] conn=510 SSL failed to map client certificate to
LDAP DN (No such object)
BUT, he's allow to view unprivilegied part of LDAP, because it's authenticated
by SASL before... like an anonymous account.
When he create an entry, the owner is "" (empty).. !?
So, is it possible to change this "default mapping" to something else to do what
i want to do ? :-)
Thanks !
Yann
More information about the Fedora-directory-users
mailing list