Pathfinder and OpenLDAP

What is it?

Our open-source Pathfinder library allows applications to easily perform RFC3280-compliant path validation of X.509 certificates.

We've created several patches for the OpenLDAP 2.3.41 server, as follows:

  • The first patch is a port of Boeing's ldap-proxy backend to a modern version of OpenLDAP, which can also use Pathfinder to validate any certificates retrieved by the ldap-proxy backend before they are returned to the requesting connection. Policy mapping, policy constraints, and name constraints are all handled transparently.
  • The second patch allows OpenLDAP to use Pathfinder to validate client certificates presented as part of a TLS negotiation for an LDAPS connection. Policy mapping, policy constraints, and name constraints are all handled transparently.
  • A third patch combines both of the above: it allows Pathfinder to validate client certificates for TLS negotiation and any certificates retrieved by the ldap-proxy backend.

Current Status:

Pathfinder and these patches for OpenLDAP are presently under active development.

Download:

Patch: adds Boeing ldap-proxy with Pathfinder: openldap-2.3.41-pathfinder-getcert-20080428.diff.gz

Patch: adds Pathfinder for TLS connections: openldap-2.3.41-pathfinder-tls-20080428.diff.gz

Megapatch: adds ldap-proxy with Pathfinder, and Pathfinder for TLS: openldap-2.3.41-pathfinder-both-20080428.diff.gz

NEW! RPM packages for OpenLDAP 2.3.39, for CentOS 5.1 (or RHEL) with pathfinder and ldap-proxy built in, are available.

Patch Instructions:

  • Make sure you have the WvStreams 4.4 library installed.
  • Make sure you have Pathfinder 0.2.4 and libpathfinder-openssl installed and appropriately configured.
  • Make sure you have pkg-config installed, and that it knows about libpathfinder.
  • Apply either the second, third, or fourth patch to a clean openldap-2.3.41 build tree (it may also apply cleanly against other versions...)
  • Run "autoconf" and "autoheader".
  • When running "./configure", specify "--with-pathfinder".
  • Compile and install the OpenLDAP server.
  • Enable pathfinder for client certificates with the "TLSPathfinder on" command in the slapd.conf file.
  • If using Boeing's ldap-proxy backend, enable pathfinder for fetched certificates using the "getcert-pathfinder on" command in the slapd.conf, in addition to any other necessary ldap-proxy configuration settings.

RPM Instructions:

  • Install the RPM packages linked from above. You may need to use "yum" to satisfy additional dependencies, and you may need to get some packages from EPEL.
  • OpenLDAP is installed in /opt/ldap-proxy by default.
  • Configure the server as per the last two points in the patch instructions above.

Need Help?

Let us know!