lux-integ wrote:
> I have been searching webpages for guidance on using a smartcard ( also know
> as an HSM ) for storing passwords for an ldap database on a linux system.
>
> This would include for instance how would the userPassword (attrribute) be
> specified - i.e. how to specify the userPassword to read the PIN/SO-
> PIN/PUK{whatever} of the HSM/smart-card etc etc ??
It's not entirely clear what you want to achieve.
Which risks do you want to address?
1. For rootpw in configuration you should simply avoid setting it.
2. For protecting TLS client and server certificates' private keys you could
e.g. use PKCS#11 modules with OpenSSL (pkcs11 engine) or libnss. Never did
that myself though and it will be slow for most smartcard hardware. And it
will be quite some work to implement a robust setup.
3. When using LDAP simple bind the client sends the password in clear and
slapd hashes it and compares it to hashed 'userPassword' value(s).
4. In case of SASL mechanisms which require 'userPassword' value(s) in clear
you would have to implement a reversible encryption password storage schema in
an OpenLDAP overlay and adapt some other layer/components to correctly use it.
=> much more details needed
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature