[Dovecot] Using NID_x500UniqueIdentifier as ssl_username_from_cert
Hi,
please have a look at the attached patch for dovecot-1.0.3 These patch modifies ssl_proxy_get_peer_name() to use the NID_x500UniqueIdentifier as username instead of NID_commonName.
The reason is, that the Common Name doesn't have to be unique for the whole mailserver.
Example; in germany a lot of people got the first name "Andreas" and the last name "Schulz". Therefore a lot of certificates exists with subjects like this: C=DE,O=ABC,CN=Andreas Schulz/emailAddress=andreas.schulz@abc.de C=DE,O=DEF,CN=Andreas Schulz/emailAddress=andreas.schulz@def.de ... dovecot couldn't distinguish between these users. So we decide to use certificates with an X509v3 extension NID_x500UniqueIdentifier which allows to extend the subject by an unique ID, e.g. the unix-uid or a database unique key.
The new certificates may look like this: C=DE,O=ABC,CN=Andreas Schulz/emailAddress=andreas.schulz@abc.de/x500UniqueIdentifier=user1 C=DE,O=DEF,CN=Andreas Schulz/emailAddress=andreas.schulz@def.de/x500UniqueIdentifier=user2
With the attached patch the user is taken from this extension and e.g. with userdb=ldap you can use the filter string user_filter = (&(objectClass=posixAccount)(uid=%u))
A good solution to use booth, the common name and the UniqueIdentifier is to extend settings like ssl_username_from_cert = no | yes | cn | uid where "yes" is similar to "cn".
Regards, Sandro Wefel
On Thu, 2007-08-30 at 15:08 +0200, S. Wefel wrote:
please have a look at the attached patch for dovecot-1.0.3 These patch modifies ssl_proxy_get_peer_name() to use the NID_x500UniqueIdentifier as username instead of NID_commonName.
I won't add new features to v1.0 (and especially not break existing setups :), but I implemented this to v1.1 now: http://hg.dovecot.org/dovecot/rev/7ad61f00ee55
participants (2)
-
S. Wefel
-
Timo Sirainen