Remember that authentication is not the same as authorization - having the valid certificate just proves who you are to the server; the server doesn't have to accord you any privileges/authorization just because of that.
Correct, but the OP _wanted_ to make an authorization decision for this identity, not just perform authentication.
I think what he wants is to be able to use the subject DN in the client's cert directly as the bind identity for access control purposes. This isn't supported. Not because the original developers missed some grand X.500 vision, but because
nobody needed to do that (and haven't for 10 years, until now...). -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
