#48 X.509/LDAP different Certificate CN,LDAP DN/UID
This (multi-)patchfile addresses a core problem in the mapping of an inbound, X.509 (Strong-AuthScheme) based authentication to an LDAP entry. Using the 'CN' of the certificate's DN is trivially insufficient for uniqueness in a real environment (e.g., CN=John Smith). Instead, this functionality uses the CN to look up potential matches in LDAP (filter on CN for all hits), retrieves the certificates, and verifies the certificate itself against that/those on the entry/ies.
This two-step match required fairly significant changes to some interfaces, and the addition of Key classes (i.e., CredentialKey/UserKey) to support the additional verification. An additional configuration parameter was added to indicate the initial-lookup as separate from the final UID attribute. E.g., CN=John Smith vs. UID=1234.
This addresses: LDAPIdentityStore doesn't support different cn/uid - ID: 2783588
http://sourceforge.net/tracker/?func=detail&aid=2783588&group_id=116854&atid=676232
Patch for LDAP/X509 Auth resolution
Sorry, forgot to log in. This was provided by me (vargok).
Could an admin please delete this patch? I've uploaded an update via ID 2817582 (since I forgot to log in, I couldn't update the issue).