Chapter 9. Authentication in ThinLinc
/utils/tl-ldap-certalias/users/bindpw
The password to use in combination with binddn for bind operations. If binddn is left empty, this
can also be left empty.
/utils/tl-ldap-certalias/certs/uri
/utils/tl-ldap-certalias/certs/base
/utils/tl-ldap-certalias/certs/binddn
/utils/tl-ldap-certalias/certs/bindpw
If certificate_user_match is not sameobject, these settings will be used to determine where to look
for certificates. They follow the same rules as the settings for users.
9.5.7.3. Certificate validation
tl-ldap-certalias can perform validation of certificates found in LDAP databases by the following
methods if allow_invalid_certificates is set to yes:
Certificate validity and expiry dates
tl-ldap-certalias now checks the certificate validity and expiry dates and rejects certificates that are
not valid yet or have expired.
Matching certificate to certificate issuers
Place the CA certificates you wish to trust certificates from in /opt/thinlinc/etc/ca/. The CA
certificates must be in DER form. If tl-ldap-certalias finds a certificate with an issuer that does not
match any of the certificates in /opt/thinlinc/etc/ca/, the certificate will be considered
invalid and ignored.
Certificate revocation lists
tl-ldap-certalias searches the certificates it encounter for certificate revocation lists (CRL), to make
sure that the certificate has not been revoked by its issuer. Once downloaded, the CRL will be
cached until the time for the next scheduled update found in the CRL list has passed.
Note: tl-ldap-certalias can only handle CRL lists distributed with HTTP.
Validation of certificate signatures.
tl-ldap-certalias can verify that the certificate signature is valid and thus assures that the certificate
has not been tampered with.
Note: To validate rsa-sha256, rsa-sha384 and rsa-sha512 certificate signatures, Python 2.5 or
newer is required. Trying to validate signatures with an older Python version will result in the
certificate being rejected with the message "Certificate signature algorithm is unknown".
107
Komentarze do niniejszej Instrukcji