Re: OpenLDAP server should use windows certificate store for certificates

[pramod kulkarni <pammu.kulkarni@gmail.com>]

Thanks for the reply,

How to replace the file based access in OpenLDAP with windows certificate store access.

we have the functionality to access the windows certificate store but how to integrate with OpenLDAP ?

Regards,

Pramod

On Fri, Aug 2, 2013 at 10:57 PM, Michael Ströder <michael@stroeder.com> wrote:

Aaron Richton wrote:
> On Fri, 2 Aug 2013, pramod kulkarni wrote:
>
>> Hi,I need information on how to configure OpenLDAP server in the slapd.conf
>> to look for certificates from windows certificate store?
>> Currently i am using certificates from file in a path.
>>
>> Waiting for your inputs.
>
> In libraries/libldap you'll find
>
> tls_g.c  tls_m.c  tls_o.c
>
> which are for GnuTLS, MozNSS, and OpenSSL respectively. I'd imagine that the
> Right Thing would be to make a new file here, that utilizes the Windows crypto
> APIs (therefore accessing the Windows certificate stores).

You're talking about implementing a wrapper around Windows' schannel DLL which
in turn uses CAPI key stores.

Another also rather hypothetical approach:
I vaguely remember that someone wrote a PKCS#11 provider for accessing CAPI
keystore which could be used in libnss and therefore in OpenLDAP (tls_m.c).
It would be a lot of work to get that going - something for adventurers with
lots of spare time. ;-}

Ciao, Michael.