[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ssl client certs



On 11/01/2013 12:12 PM, Howard Chu wrote:
I would reject such an ITS. Cert-pinning is an issue for clients that
have a very large collection of trusted CAs. The Admin Guide clearly
states that servers should only trust a single CA - the CA that signed
its own certs and the certs of its clients. In that case, no one else
can issue a valid cert with the same subjectDN.
   Thanks to everyone for their comments. Greatly appreciated and 
confirmed some of my suspicions about trying to use certs as an actual 
2nd factor.
   So, was I right in trying to use ~/.ldaprc to try to force 
ldapsearch (for instance) to use a cert for authentication?  Running a 
sniffer and looking at the traffic, it doesn't look like ldapsearch is 
ever doing anything beyond an anonymous bind unless I specify -D and -W 
in which case it's binding and authenticating as normal rather than 
using a cert.
   I think the notion of using a client cert as a 2nd factor will get 
dropped (at least for now - grin) but my curiosity is piqued enough that 
I probably will still tinker with getting slapd to validate a client 
cert (just for my own edjimication) and want to be sure I'm actually 
correctly getting the client to use the client cert. :-)
Brent