Thanks for your answers.
On Nov 16, 2007 1:21 PM, Enda <en...@codefoundry.com> wrote:
On Nov 16, 2007 11:51 AM, Fernando Iglesias wrote:
Ok, I'll try to introduce my idea. I've a x509 cert, the field CN is a
user
name that exists into LDAP server, I can extract this CN from cert using
Apache SSL, then a php program take this username and try to login into
courier imap using courier authlib and a LDAP server, but a password is
needed.
Yes, password is needed as it secures the account.
So my idea was, "can i use this cert to authenticate user directly?". If
I
store x509 certs in LDAP, can I configure authlib to authenticate
against
the pair (user name,x509 cert).
You might as well remove the passwords altogether since what you are
proposing is equivalent to authenticating with (user name,public cleartext
password). The x.509 cert is not secure and does not provide security, it
is
a public document containing information which can be used to verify data
signed / encrypted with its associated private key. You've lost all that
in
your scheme.
Try storing cleartext passwords in LDAP, ditch the x.509 certs, use ldap
acl's to secure the ldap password fields and retrieve the password instead
of an x.509 cert. Its essentially the same process except it removes the
illusion of security around your password, and thats all you've got is an
illusion, no security.
6 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Certificate login
