Z-Push Certificate Based Authentication
-
Hello,
I want to configure certificate based authentication for z-push so that only devices with a client certificate from our ca are able to synchronize via activesync.
I tried to set the following option with the ca from a Univention server, but can still synchronize without setting a client certificate.// When using client certificates, we can check if the login sent matches the owner of the certificate. // This setting specifies the owner parameter in the certificate to look at. define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");And if I’m setting a client certificate the client cannot setup the account (I cant see any errors in the z-push logs).
Am I missing a configuration or am I making another misconfiguration?
-
Hi @raphi59,
@raphi59 said in Z-Push Certificate Based Authentication:
Hello,
I want to configure certificate based authentication for z-push so that only devices with a client certificate from our ca are able to synchronize via activesync.
I tried to set the following option with the ca from a Univention server, but can still synchronize without setting a client certificate.// When using client certificates, we can check if the login sent matches the owner of the certificate. // This setting specifies the owner parameter in the certificate to look at. define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");In Z-Push client certificate is optional for authentication. That means that the users without a certificate will be able to login using the correct username and password. If you want to allow only users with certificates, you’ll have to do some code changes.
And if I’m setting a client certificate the client cannot setup the account (I cant see any errors in the z-push logs).
Am I missing a configuration or am I making another misconfiguration?
It’s difficult to say anything without Z-Push/webserver logs. Is the auth user the same as SSL_CLIENT_S_DN_CN value?
Manfred
