[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OT: Security management/distribution in "The Cloud" (Was: Dogtag CA with OpenLDAP?)



Turbo Fredriksson wrote:
On 28 Mar 2017, at 11:22, Howard Chu <hyc@symas.com> wrote:

We had a module for OpenLDAP 2.0, way back when. It hasn't been maintained in years.

Ok, I see :(. What did that do exactly? Name?

I've dug it up and gotten it working again.

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2b920ecaecc2e4858a33d0c8151bcf3b3d71cadd

Basically it's an overlay that generates certificates for users and servers residing in the directory. A single Search request across the entire directory can trigger generation of certs for every relevant entry.



Sorry for the OT (although it’s _slightly_ relevant to OpenLDAP I guess).

But how do people handle secrets (key/value, certificates etc) in a cloud
environment? With bare metal, you usually don’t spinup/down machines
that often, so distributing stuff like that is “easy”. But with the cloud and
“resources are cattle, not pets”, how to do that there!?

This have been racking my brain (and several of my friends and colleagues)
for months now!


I’m using OpenLDAP and MIT Kerberos V for users and passwords, but
I’m not sure how I could (if I should) utilise that to keep “secrets”.


I’ve looked at Hashicorp Vault, but that’s extremely immature and not any
where near ready a “production” environment (not to mention that it lacks
very important functions etc).


Dogtag is apparently good enough (although huge - might not need all that
functionality), but maintaining an additional LDAP/KerberosV setup is seriously
unappealing!

But what else is there?



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/