From: Howard Chu Date: Fri, 14 Jun 2002 13:35:09 +0000 (+0000) Subject: Added a bit about client and server certificates. X-Git-Tag: NO_SLAP_OP_BLOCKS~1454 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3ee908649a456091a3204338e059838919698013;p=openldap Added a bit about client and server certificates. --- diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf index 51d5c84906..b6e0c90b03 100644 --- a/doc/guide/admin/tls.sdf +++ b/doc/guide/admin/tls.sdf @@ -3,15 +3,35 @@ H1: Using TLS -OpenLDAP clients and servers are capable of using +OpenLDAP clients and servers are capable of using the Transport Layer Security {{TERM:TLS}} framework to provide integrity and confidentiality protections and to support -LDAP authentication via SASL EXTERNAL. +LDAP authentication using the SASL EXTERNAL mechanism. TLS uses {{TERM:X.509}} certificates to carry client and server identities. All servers are required to have valid certificates, whereas client certificates are optional. Clients must have a -valid certificate in order to authenticate using the SASL EXTERNAL -mechanism. +valid certificate in order to authenticate via SASL EXTERNAL. +For more information on creating and managing certificates, +see the {{PRD:OpenSSL}} documentation. +H2: Server Certificates +The DN of a server certificate must use the CN attribute +to name the server, and the CN must carry the server's +fully qualified domain name. Additional alias names and wildcards +may be present in the subjectAltName certificate extension. +More details on server certificate names are in {{REF:RFC2830}}. + +H2: Client Certificates + +The DN of a client certificate can be used directly as an +authentication DN. +Since X.509 is a part of the {{TERM:X.500}} standard and LDAP +is also based on X.500, both use the same DN formats and +generally the DN in a user's X.509 certificate should be +identical to the DN of their LDAP entry. However, sometimes +the DNs may not be exactly the same, and so the mapping +facility described in +{{SECT:Mapping Authentication identities to LDAP entries}} +can be applied to these DNs as well.