Dear reader,

we are using dovecot 2.2.7 and like it very much. Authentication is done via a checkpassword program that does two things:

1. check wether the client has connected via SSL using a client certificate
2. check wether the client is using a one time password generator

Most of our users are using certificates that we have created ourself. These certificates contain a x500uniqueidentifier.

But some users are using certificates from a german trust center and these certificates do not contain a x500uniqueIdentifier nor something similar.

I would like to map these certificates to user accounts and my first idea was to do so from my checkpassword programm.

But how do I find out the client-certificate from within a checkpassword script. I tried to add an additional entry to auth_request_var_expand_static_tab and fill in that environment variable in auth_request_get_var_expand_table_full() (both in src/auth/auth-request.c).

But where do I find the SSL-context from which I can extract the client certificate?

Kind regards

Peter Koch