Looking for clarification of Chapter/Section 3.1.1 from the "Oracle® Fusion Middleware Administrator's Guide for Oracle Authentication Services for Operating Systems 11g Release 1 (11.1.1)" which states:
"3.1.1 SSL Support
Oracle Internet Directory can be configured for SSL-no authentication, SSL-server authentication and SSL-mutual authentication modes. In all three modes, the data is encrypted during transmission. Oracle Internet Directory comes pre-configured with the SSL-no authentication mode. However, some clients such as the PAM_LDAP clients used for Linux user authentication do not support this mode and only support SSL-server authentication mode."
This statement readily covers NON-SSL, SSL-NoAuth, and SSL-Server authentication modes, however the answer to the question of mutual authentication is ambiguous.
The wording seems to indicate some PAM's may not support Mutual Auth and only support NON-SSL and SSL-Server Auth. Is there any reason why Mutual SSL Authentication would be an issue? I expect if not that we would have to manually update the keystore's as the scripts seem to only configure NON-SSL, SSL-No Auth, and SSL-Server Auth. I'm guessing Mutual Auth would require us to use a service account?
Mutual authentication is a security feature in which a client process must prove its identity to a service, and the service must prove its identity to the client, before any application traffic is transmitted over the client/service connection. Perhaps some PAM_LDAP clients do not have support for this and PAM and External Authentication are mutual exclusive.
Understanding that we'd have to manually update the keystore to include the 'client' certificate, and accepting that the certificate would need to be based on the hostname, Are you aware of any PAM's which would have this limitation?
My experience and knowledge in this area is limited, but perhaps you will find the following article interesting, in particular regarding SASL mechanism outlined at the end: http://download.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html