Table of Contents
Advertisement
Requiring client authentication for controlling access to specific resources differs
from requiring client authentication for all connections to the server. If you set the
server to require client authentication for all connections, the client only needs to
present a valid certificate issued by a trusted CA. If you set the server's access
control to use the SSL method for authentication of users and groups, the client will
need to:
•
Present a valid certificate issued by a trusted CA
•
The certificate must be mapped to a valid user in LDAP
•
The access control list must evaluate properly
When you require client authentication with access control, you need to have SSL
ciphers enabled for your web server. See Chapter 5, "Securing Your Enterprise
Server" to learn how to enable SSL.
In order to successfully gain access to an SSL authenticated resource, the client
certificate must be from a CA trusted by the web server. The client certificate needs
to be published in a directory server if the web server's
configured to compare the client's certificate in the browser with the client
certificate in the directory server. However, the
configured to only compare selected information from the certificate to the
directory server entry. For example, you could configure the
only compare the user ID and email address in the browser certificate with the
directory server entry. To learn more about
see Chapter 5, "Securing Your Enterprise Server."
NOTE
Only the SSL authentication method requires modification to the
certmap.conf file, because the certificate is checked against the LDAP
directory. Requiring client authentication for all connections to the server
does not.
the value of the
Digest Authentication
Digest authentication allows the user to authenticate based on username and
password without sending the username and password as cleartext. The browser
uses the MD5 algorithm to create a digest value using the user's password and
some information provided by Enterprise Server. This digest value is also
computed on the server side using the Digest Authentication plug-in, and
compared against the digest value provided by the client. If the digest values
match, the user is authenticated.
certmap.conf
If you choose to use client certificates, you should increase
AcceptTimeout
certmap.conf
file can be
certmap.conf
certmap.conf
and certificate mapping,
directive in
magnus.conf
Chapter 8
Controlling Access to Your Server
What Is Access Control?
file is
file to
.
163
Advertisement
Table of Contents
