How to authenticate through a X509/pkcs12 client certificate (SSLv3/ [RFC 5246 ?] authentication only)?
Dan White
dwhite at olp.net
Sat Sep 4 11:55:17 EDT 2010
On 04/09/10 11:48 +0200, Thomas Harding wrote:
>Le 02/09/2010 21:44, Dan White a écrit :
>>Servers typically implement support by providing a STARTTLS command, and
>>using some information contained in the certificate to derive a username.
>>How the server derives the username is up to the server.
>
>Tried from imap/143/startls and imaps/993 without success
How did you test it? Did you specify the EXTERNAL mechanism? You can test
with imtest:
imtest -t "<path>/client.cert" -m EXTERNAL imap.example.net
>From another response quoted below, EXTERNAL auth is done through OpenLDAP
>(ldapdb), which with further Ternet readings offers "EXTERNAL".
>
>I didn't found literature on Ternet on that subject.
The ldapdb auxprop plugin will not have access to your client certificate,
and would not allow you to authenticate to the IMAP/SMTP without a username
and password.
It would allow you to store your user credentials in an LDAP directory.
>>Which presumably means that whatever is in the common name of the
>>certificate will become the authenticated identity.
>
>For sure, but I remain an alternative "key" field in certificates for
>identification, maybe found in a RFC, As for as an LDAP entry can have
>both "uid" an "cn" for "dn" "last significant name"
Again, how the server chooses to derive an authentication identify from the
contents of a certificate is left up to server implementation. There is no
standard that I'm aware of.
For instance, it might make some sense for an LDAP server to derive a DN as
the authentication identity, since the structure of a certificate and an
LDAP tree look similar. I don't actually know if that's true of OpenLDAP.
The SASL library offers the ability to canonicalize (simplify/unify)
authentication identities in this scenario, via a user canon plugin.
>>I believe sendmail, cyrus imap, and openldap support such authentication.
>>I don't believe postfix does. I cannot find any mention of
>>SASL_AUTH_EXTERNAL in its source.
>
>> [from Dan white]> You may use OpenLDAP as identity provider, ldapdb
>> as auxiliary
>> [from Dan white]> property plugin and SASL Mechanism EXTERNAL.
The first part was from me. The suggestion to use ldapdb came from Dieter.
--
Dan White
More information about the Cyrus-sasl
mailing list