>>Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn't have to accord you any privileges/authorization just because of that. >> >>Correct, but the OP _wanted_ to make an authorization decision for this identity, not just perform authentication. >>I think what he wants is to be able to use the subject DN in the client's cert directly as the bind identity for access control purposes. This isn't supported. >>Not because the original developers missed some grand X.500 vision, but because >>nobody needed to do that (and haven't for 10 years, until now...). Yes David, it's exactly what i want to do... So, it's not supported in FD :-( I tried to find another way to do that; ex: when i bind with a certificate with no match entry in the LDAP directory, FDS say: [10/Feb/2006:17:14:11 +0000] conn=510 SSL failed to map client certificate to LDAP DN (No such object) BUT, he's allow to view unprivilegied part of LDAP, because it's authenticated by SASL before... like an anonymous account. When he create an entry, the owner is "" (empty).. !? So, is it possible to change this "default mapping" to something else to do what i want to do ? :-) Thanks ! Yann
