Howard Chu wrote: >> >> From: David Boreham <david_list at boreham.org> >> >> >>> > Remember that authentication is not the same as authorization - >>> having > the valid certificate just proves who you are to the >>> server; the > server doesn't have to accord you any >>> privileges/authorization just > because of that. >> >> >> Correct, but the OP _wanted_ to make an authorization decision for >> this identity, not just perform authentication. >> > > > Yes, I'm sure eventually the OP would want to make an authorization > decision, but their complaint showed that they weren't even able to > get past authentication. The fact that FDS doesn't support distributed > authentication makes the authorization question a bit moot. FDS does support certain types of distributed authentication - Kerberos (via GSSAPI) and pass through authentication. You can also pass authentication through to PAM. > >> I think what he wants is to be able to use the subject DN in the >> client's cert >> directly as the bind identity for access control purposes. This isn't >> supported. >> Not because the original developers missed some grand X.500 vision, >> but because >> nobody needed to do that (and haven't for 10 years, until now...). > > > Personal experience tells me that many people have needed distributed > authentication in the past 10 years, and it's been used extensively in > OpenLDAP for the past 6 or so. The folks who designed LDAP plainly > didn't consider it, just as they didn't consider the majority of the > implications of true distributed operation. > Ok. So, how exactly does OpenLDAP support this? saslauthd? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060207/3ca84392/attachment.bin
