[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8586) load cert+chain from TLSCertificateFile

Howard Chu wrote:
> It's pretty much unheard of for an LDAP server to trust TLS client certs issued by a CA
> different from the LDAP server's own CA. Since client certs are usually issued only to
> allow authentication, an LDAP server will only trust its own CA to issue identities to
> clients.

Not sure what you consider to be "pretty much unheard of".
But I vaguely remember having already described this use case:

1. Assume *all* clients have to authenticate to the LDAP server to get properly
authorized to even see data (no anon access).

2. Furthermore there is a config management system available at the site which already
issues client certs for its own internal use (e.g. puppet with master and CA).

In this case you want to (re)use the config mgmt client certs to simple authenticate
those particular LDAP clients but not want to use the config mgmt CA to be trusted also
to issue server certs which ensures MITM protection for all other LDAP clients probably
sending bind requests with clear-text passwords.

=> OpenLDAP's configuration should it possible to define different root CA chains for the
local server cert and accepted client certs validation.

Ciao, Michael.

P.S.: You might have guessed: I'm using this in Æ-DIR to avoid having to set server
passwords for thousands of servers.