[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

Turbo Fredriksson wrote:
On 9 Apr 2017, at 11:29, Howard Chu <hyc@symas.com> wrote:

Turbo Fredriksson wrote:
On 9 Apr 2017, at 04:06, Howard Chu <hyc@symas.com> wrote:

Only difference might be that the local FS isn’t available _outside_ the host, a directory

As soon as a host offers something like ssh, then that distinction is gone too.


Moreover, a secure mechanism for distributing private keys to users is required but nobody
ever specifies how to do that. Certainly LDAP/TLS is more manageable than sneakernet and
this is more bootstrappable.

Yeah, I’ve been struggling like crazy about this the last couple of months.

There’s many scripts and some products that can be/handle a CA, but
no one seems to have thought about the actual distribution of the result(s).

Or how to restrict queries, distribution and what type of cert is/can be requested.

And every link I’ve ever seen about certs, “then copy it securely to the
destination”. But no wording on HOW to do that or how to script it (in a
more .. “automated” fashion).

Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE
to be.

Indeed, there's no reason for it.

So if you can do something like this, and leave the ACL/policies etc to the admin,
using existing functionality (ACL/ACI/ppolicy or whatever), I’d be a very happy man! :)

This is coming along now...

Are you actually talking about OpenLDAP being a “CA” as well? As in, being able
to create certificates by requests, or are you talking about OpenLDAP “only”
being the … “backend-storage” for such a tool?

The autoca overlay turns slapd into a CA. It can generate certificates for any users (and servers) in the directory. Please read the slapo-autoca(5) manpage for more info.

For bootstrapping purposes I'm now extending back-config to be able to use certificates/keys stored directly in cn=config. The autoca overlay will be extended to store its generated CA cert in cn=config, so that a slapd can immediately support TLS as soon as the overlay is used (without requiring restarts).

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/