[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: Turbo Fredriksson <turbo@bayour.com>, OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Howard Chu <hyc@symas.com>
Date: Sun, 9 Apr 2017 14:24:08 +0100
In-reply-to: <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <WM!4ba83b2090d2bd1da4412c283bf93e9733cc0be005cc6e1eea16569b1a5755a16c137c899e1426c4e700614ef0d86a6e!@mailstronghold-2.zmailcloud.com> <faee960d-3967-2eed-b6ec-d2f8e0b4fdc6@symas.com> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com> <BE9CD1C3-B433-453A-92EE-258046EA3796@bayour.com> <WM!72c4bd8a502cb74b06f81b6b79f016b392e96533e633776189e8f3d79378f724d1b0950ee046f711f5b3fe60c82ab046!@mailstronghold-1.zmailcloud.com> <3b82bb6c-d295-586a-97ae-1498b74062bd@symas.com> <7A069EFE-53C6-4EDC-98DC-F2D9F53F2A18@bayour.com> <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Turbo Fredriksson wrote:

On 9 Apr 2017, at 11:29, Howard Chu <hyc@symas.com> wrote:

Turbo Fredriksson wrote:

On 9 Apr 2017, at 04:06, Howard Chu <hyc@symas.com> wrote:

Only difference might be that the local FS isn’t available _outside_ the host, a directory
is.


As soon as a host offers something like ssh, then that distinction is gone too.


True.

Moreover, a secure mechanism for distributing private keys to users is required but nobody
ever specifies how to do that. Certainly LDAP/TLS is more manageable than sneakernet and
this is more bootstrappable.


Yeah, I’ve been struggling like crazy about this the last couple of months.

There’s many scripts and some products that can be/handle a CA, but
no one seems to have thought about the actual distribution of the result(s).

Or how to restrict queries, distribution and what type of cert is/can be requested.

And every link I’ve ever seen about certs, “then copy it securely to the
destination”. But no wording on HOW to do that or how to script it (in a
more .. “automated” fashion).

Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE
to be.


Indeed, there's no reason for it.

So if you can do something like this, and leave the ACL/policies etc to the admin,
using existing functionality (ACL/ACI/ppolicy or whatever), I’d be a very happy man! :)


This is coming along now...


Are you actually talking about OpenLDAP being a “CA” as well? As in, being able
to create certificates by requests, or are you talking about OpenLDAP “only”
being the … “backend-storage” for such a tool?

The autoca overlay turns slapd into a CA. It can generate certificates for anyusers (and servers) in the directory. Please read the slapo-autoca(5) manpagefor more info.

For bootstrapping purposes I'm now extending back-config to be able to usecertificates/keys stored directly in cn=config. The autoca overlay will beextended to store its generated CA cert in cn=config, so that a slapd canimmediately support TLS as soon as the overlay is used (without requiringrestarts).


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Storing TLS credentials in the directory
  - From: Michael Ströder <michael@stroeder.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread