nslcd authc using certificates?

[Phil Nitschke <philn [at] ultra-avalon.com>]

Hi Arthur,

We decided to store/check a history of passwords, using the OpenLDAP
ppolicy overlay.  I learned from the slapo-ppolicy(5) page, that "no
history checking occurs if the password is being modified by the
rootdn, although the password is saved in the history".

So I began to consider secure ways to store the rootdn credentials. 
One alternative that seems a possibility is to create an LDAP client
certificate which allows just a rootdn authentication.

i.e. create an openssl "extfile" with contents:
   extendedKeyUsage = clientAuth
   subjectAltName = IP:n.n.n.n,DNS:host.domain.etc,DNS:...
   
create a certificate request with the subject line:
   openssl req -subj "/DC=com/DC=example/CN=admin" -new -key ..

I've used such a certificate to authenticate to openldap as the rootdn
("cn=admin,dc=example,dc=com") in the past.  The idea was to put the
certificate in a secure location only readable by the uid/gid in the
nslcd.conf file, and set the tls_cert/tls_key variables to point to
this certificate & key.

However, after testing, I found that nslcd_pam_authc() doesn't appear
to consider this possibility of authenticating.

So, my questions:
  * Is this idea sensible?  (logically & from a security standpoint)
  * Does the functionality already exist via another means?
  * Is it worth pursuing via a feature-request?

(I know I can store the rootpwmondn/rootpwmodpw in the nslcd.conf file
and tighten the permissions, but the certificate method seemed even
more secure; the rootdn credentials can never be seen on screen.)

Thanks,

-- 
Phil