[Fedora-directory-users] TLS authentication without a user mapped
Richard Megginson
rmeggins at redhat.com
Thu Feb 23 14:54:51 UTC 2006
François Beretti wrote:
>Hi,
>
>is it possible to do a SASL/EXTERNAL bind with a TLS certificate,
>while no user in the directory is mapped to the certificate DN ?
>
>
No. The code currently requires an entry, and furthermore requires that
entry has a userCertificate attribute whose value matches the client
certificate.
>If yes, is it possible then to give rights to certificate DN (so, to a
>DN that is not in the directory) ?
>
>I would like this if I don't want to store users in a directory
>(because they already are in another one.
>
>
But you do want to use the access control features of Fedora DS on that
identity. You are the second person to ask about this recently. This
would probably involve quite a few code changes:
1) The client cert auth code would have to allow access by non-existent
users. Perhaps we could use the cert db to optionally look up the
certificate for comparison.
2) The access control code would have to allow access by non-existent users.
If the identity store is another LDAP server, you may be able to use
chaining.
>Thank you
>
>François
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060223/a424a865/attachment.bin>
More information about the 389-users
mailing list