Greetings.
On 28 Jun 2023, at 3:41, Jordan Brown wrote: > On 6/27/2023 7:14 PM, Quanah Gibson-Mount wrote: > >> Using a public CA for client certs seems very odd to me. > > Depends on your use case. Think of it as a form of federated login. Indeed. I've done something similar in the past (this was with access to a web service rather than an LDAP server, but the logic is the same). Some of my users had, and knew how to use, X.509 certs issued by a large computing grid. So I got my server to trust the CA's cert, and listed the DNs allowed access. The grid CA did the legwork of setting up the PKI and checking the users, and I piggybacked on that, feeling rather smart. Unfortunately, not _all_ of the relevant users had those certs, so I still had to set up a local CA, which meant it ended up more trouble than it was in fact worth. Best wishes, Norman -- Norman Gray : https://nxg.me.uk
