[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL External : certificates stored in LDAP

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Francois Beretti

> Hello all
> is it planned[/possible] in future developpement to let the
> SASL/EXTERNAL mecanism directly work with user certificates stored in
> the OpenLDAP directory, instead of having them stored in the user
> filesystem ?
> or is it better to keep this concept off of the mecanism ? :
> if somebody
> wants it, he must make his own client that will first retrieve the
> userCertificate anonymously before starting an authenticated
> communication

The SASL/EXTERNAL mechanism is completely ignorant of whatever security
scheme is in place. The real question has nothing to do with SASL.

As a practical matter, with existing protocols like TLS, there's nothing to
gain by doing this. The TLS protocol doesn't provide a mechanism for
asserting your identity without using a certificate, so you need to have it
to initiate a session. Retrieving your own cert in an anonymous session will
of course work, but it's an extra step that is basically unnecessary.

Having certs in the directory is useful to assist in the distribution of the
certs. Once the certs have been received by their owners, there's no reason
to retrieve them again, unless you're retrieving it on a new machine and
didn't drag a copy along with you. Keeping the certs in a central directory
(hah) is also useful if you're sending signed email to someone and they've
never retrieved your public key before. (The joke of this is, there is no
"central directory" anywhere in the world...)

One of the modules Symas built on top of OpenLDAP is a certificate server -
you bind on a secure connection, perform a particular search, and the server
generates a cert /key matching your DN and returns it to you, also storing
the cert in the database under your DN's entry. Later you can of course
retrieve the cert any number of times, but the private key is not saved
anywhere. Much easier than the commandline scripts that are bundled with

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support