> From: Rob Crittenden <rcritten at redhat.com> > > Yann wrote: > >> Thanks Richard, >> >> but this howto explain how to to match DN certificate to LDAP entry... my >> problem is; i don't want to have a corresponding entry in LDAP directory... >> >> I want to be identify only by the DN in the certificate, and match some ACL.. >> that all. No need to have an entry in the LDAP. >> >> If it's possible in DS... >> > > So you want to bind to the directory server with a valid client > certificate for a user that doesn't exist? For what purpose? > There is no reason to assume any connection between SASL identities and LDAP directory entries. Moreover, in a true distributed directory system, there's no reason to assume that an entry for a valid user is present on every DSA in the system. Of course, the folks who developed LDAP didn't understand this essential bit of X.500, so it's no surprise that you're unfamiliar with distributed authentication. Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn't have to accord you any privileges/authorization just because of that. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
