Hi,
is it possible to do a SASL/EXTERNAL bind with a TLS certificate, while no user in the directory is mapped to the certificate DN ?
If yes, is it possible then to give rights to certificate DN (so, to a DN that is not in the directory) ?
I would like this if I don't want to store users in a directory (because they already are in another one.
Thank you
François
François Beretti wrote:
Hi,
is it possible to do a SASL/EXTERNAL bind with a TLS certificate, while no user in the directory is mapped to the certificate DN ?
No. The code currently requires an entry, and furthermore requires that entry has a userCertificate attribute whose value matches the client certificate.
If yes, is it possible then to give rights to certificate DN (so, to a DN that is not in the directory) ?
I would like this if I don't want to store users in a directory (because they already are in another one.
But you do want to use the access control features of Fedora DS on that identity. You are the second person to ask about this recently. This would probably involve quite a few code changes: 1) The client cert auth code would have to allow access by non-existent users. Perhaps we could use the cert db to optionally look up the certificate for comparison. 2) The access control code would have to allow access by non-existent users.
If the identity store is another LDAP server, you may be able to use chaining.
Thank you
François
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
François Beretti wrote:
I would like this if I don't want to store users in a directory (because they already are in another one.
This would be a new feature. You'd need to write code to implement it (or someone would). Problem is that there are a bunch of places in the code where the existance of an entry with the bind identity is assumed. So it wouldn't be quite as simple as taking the cert DN and copying it into the bind DN for the session.
Sorry for my late answer.
When binding with cn=Directory Manager, the user does not exist. So the existance of the entry does not seem to be always requiered, does it ?
François
2006/2/23, David Boreham david_list@boreham.org:
This would be a new feature. You'd need to write code to implement it (or someone would). Problem is that there are a bunch of places in the code where the existance of an entry with the bind identity is assumed. So it wouldn't be quite as simple as taking the cert DN and copying it into the bind DN for the session.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
François Beretti wrote:
Sorry for my late answer.
When binding with cn=Directory Manager, the user does not exist. So the existance of the entry does not seem to be always requiered, does it ?
That user is special, and there is lots of code in the server to handle this special case.
The other instance is when using pass through auth or chaining - the user is remote.
François
2006/2/23, David Boreham david_list@boreham.org:
This would be a new feature. You'd need to write code to implement it (or someone would). Problem is that there are a bunch of places in the code where the existance of an entry with the bind identity is assumed. So it wouldn't be quite as simple as taking the cert DN and copying it into the bind DN for the session.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org