Fran?ois Beretti wrote: >Hi, > >is it possible to do a SASL/EXTERNAL bind with a TLS certificate, >while no user in the directory is mapped to the certificate DN ? > > No. The code currently requires an entry, and furthermore requires that entry has a userCertificate attribute whose value matches the client certificate. >If yes, is it possible then to give rights to certificate DN (so, to a >DN that is not in the directory) ? > >I would like this if I don't want to store users in a directory >(because they already are in another one. > > But you do want to use the access control features of Fedora DS on that identity. You are the second person to ask about this recently. This would probably involve quite a few code changes: 1) The client cert auth code would have to allow access by non-existent users. Perhaps we could use the cert db to optionally look up the certificate for comparison. 2) The access control code would have to allow access by non-existent users. If the identity store is another LDAP server, you may be able to use chaining. >Thank you > >Fran?ois > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060223/a424a865/attachment.bin
