directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 07:51:27 GMT
Le 10/23/12 8:09 AM, Kiran Ayyagari a écrit :
> Hi All,
>
>      I am currently implementing an X509 trust manager that is used for
> checking client certificates while using TLS for replication.
>
>      This trust manager can work in any one of the two modes
>              1. trust all (default mode)
>              2. trust only the specified certificates
>
>      In the 2 mode trust manager loads a set of certificates stored in
> DiT under ou=certificates,ou=system (a new branch) [1]

Will it be a separate partition ?

>      and checks against this list. The certificate that is not present
> in this list but is signed by a known CA will be trusted
> automatically.
>
>     The initial idea is to use this trust manager only for replication
> connections, but I would like to know your thoughts about using it
>      in StartTLS and LDAPS connections by default?
Well, usually, we fetch the certificate from the user entry, so we only 
have one place to store every piece of information relative to a user. 
Typically, there is no specific reason to not store the public key 
certificate of a user somewhere else than in the user's entry.

Now, we can certainly imagine a situation where you want to gather may 
certificates in a simple place.

Keep in mind we can also add an index on certificate (although we will 
have to write a specific matching rule to the associated comparator in 
order to avoid doing a plain byte[] comparison of certificates. I'm 
sorry, but here I have not enough knowledge to foresee all the 
consequences of such a modification, I hav to do my homework :)

Anyway, this is certainly an area we have to investigate !
>
> [1] am thinking of replacing the unused
> prefNodeName=sysPrefRoot,ou=system branch with
> ou=certificates,ou=system, please raise any
>       objections you may have w.r.t this change.
Well, I'd rather keep this branch, and create a new one atm. We can 
delete the prefNodeName later if needed.

Btw, will it impct the configuration ?


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com


Mime
View raw message