[Fedora-directory-users] Re:Certificate authentication with SASL External
Howard Chu
hyc at symas.com
Tue Feb 7 20:02:29 UTC 2006
> From: Rob Crittenden <rcritten at redhat.com>
>
> Yann wrote:
>
>> Thanks Richard,
>>
>> but this howto explain how to to match DN certificate to LDAP entry... my
>> problem is; i don't want to have a corresponding entry in LDAP directory...
>>
>> I want to be identify only by the DN in the certificate, and match some ACL..
>> that all. No need to have an entry in the LDAP.
>>
>> If it's possible in DS...
>>
>
> So you want to bind to the directory server with a valid client
> certificate for a user that doesn't exist? For what purpose?
>
There is no reason to assume any connection between SASL identities and
LDAP directory entries. Moreover, in a true distributed directory
system, there's no reason to assume that an entry for a valid user is
present on every DSA in the system. Of course, the folks who developed
LDAP didn't understand this essential bit of X.500, so it's no surprise
that you're unfamiliar with distributed authentication. Remember that
authentication is not the same as authorization - having the valid
certificate just proves who you are to the server; the server doesn't
have to accord you any privileges/authorization just because of that.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Fedora-directory-users
mailing list