[Dovecot] Using NID_x500UniqueIdentifier as ssl_username_from_cert

S. Wefel sandro.wefel at informatik.uni-halle.de
Thu Aug 30 16:08:08 EEST 2007


Hi,

please have a look at the attached patch for
dovecot-1.0.3
These patch modifies ssl_proxy_get_peer_name()
to use the NID_x500UniqueIdentifier as username
instead of NID_commonName.

The reason is, that the Common Name doesn't have
to be unique for the whole mailserver.

Example; in germany a lot of people got the
first name "Andreas" and the last name "Schulz".
Therefore a lot of certificates exists with subjects
like this:
C=DE,O=ABC,CN=Andreas Schulz/emailAddress=andreas.schulz at abc.de
C=DE,O=DEF,CN=Andreas Schulz/emailAddress=andreas.schulz at def.de
...
dovecot couldn't distinguish between these users.
So we decide to use certificates with an X509v3
extension NID_x500UniqueIdentifier which allows to
extend the subject by an unique ID, e.g. the unix-uid
or a database unique key.

The new certificates may look like this:
C=DE,O=ABC,CN=Andreas
Schulz/emailAddress=andreas.schulz at abc.de/x500UniqueIdentifier=user1
C=DE,O=DEF,CN=Andreas
Schulz/emailAddress=andreas.schulz at def.de/x500UniqueIdentifier=user2

With the attached patch the user is taken from this
extension and e.g. with userdb=ldap you can use
the filter string
user_filter = (&(objectClass=posixAccount)(uid=%u))

A good solution to use booth, the common name and the
UniqueIdentifier is to extend settings like
 ssl_username_from_cert = no | yes | cn | uid
where "yes" is similar to "cn".

Regards,
Sandro Wefel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NID_x500UniqueIdentifier.diff
Type: text/x-patch
Size: 696 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20070830/d181d7db/attachment.bin 


More information about the dovecot mailing list