From: Rick Reineman (reineman1@llnl.gov)
Date: Wed Apr 14 2004 - 12:15:42 EDT
We are trying to setup an iplanet web server to allow access based on
certificates only. No username/password access.
We have it working so that a client cert. that is from our approved list
of CA's is allowed all others are denied.
Now we want to get a little more granular and pull fields out of the
cert and allow or deny further access based on that. In the iplanet web
server (and most others) there is a file named certmap.conf. This
appears to be the configuration files that sets what fields we want to
match in the cert.
Here's the problem we are stuck at. We don't understand if we need to
store the certs in the iplanet directory service (LDAP). All the docs
imply that the certmap.conf compares against certs in the directory.
We are not a CA so we don't see a reason to manage all the certs that
come our way. It's good enough for us that the CA and a couple of
fields in the cert match our requirements.
The one thing we do need the directory for is to organize groups. The
members of those groups are those whose certs have a field we can match,
for example the email field. A group example could be a cert with
reineman1@llnl.gov in the cert is allowed access via a group named
Government.
Do we really have to store all the certs in the directory, or can we
just process them on the fly?
We do have a directory need so we can manage groups and base access on
that.
Thanks in advance,
Rick
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rick Reineman IT Systems Manager Lawrence Livermore National Laboratory - NAI/Q/CAS reineman1@llnl.gov _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:27 EDT