lists.arthurdejong.org
RSS feed

Re: nslcd authc using certificates?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd authc using certificates?



On Tue, 2021-09-21 at 16:28 +0930, Phil Nitschke wrote:
> So, my questions:
>   * Is this idea sensible?  (logically & from a security standpoint)
>   * Does the functionality already exist via another means?
>   * Is it worth pursuing via a feature-request?

It seems like a nice alternative for the rootpwmodpw option in
nslcd.conf (e.g. rootpwmodtls_cert) and would welcome code that
provides this functionality.

The difficult part (in terms of current code) is probably that the
client TLS certificate needs to be specified when opening the LDAP
connection and we need to switch to using the external authentication
mechanism for password modifications as root.

Also note that rootpwmoddn is only used for password resets by root and
you may be better off doing password resets via some other means (e.g.
to also force the user to change their password directly after the
reset).

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --