directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <>
Subject Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 18:34:58 GMT
Hi Kiran,

On 23.10.2012 08:09, Kiran Ayyagari wrote:
> Hi All,
>     I am currently implementing an X509 trust manager that is used for
> checking client certificates while using TLS for replication.
>     This trust manager can work in any one of the two modes
>             1. trust all (default mode)
>             2. trust only the specified certificates

I'm not sure if 'trust all' mode should be the default because then it
is likely that users will keep that setting in production.

>     In the 2 mode trust manager loads a set of certificates stored in
> DiT under ou=certificates,ou=system (a new branch) [1]
>     and checks against this list. The certificate that is not present
> in this list but is signed by a known CA will be trusted
> automatically.

How is the certificate mapped to the user's DN (e.g. for access
control)? Do you plan to use the DN of the certificate as user's DN, or
is there a mapping to the user entry?

Another thing regarding 'signed by a known CA will be trusted': Do you
mean all CA in the JDK's cacerts file? Or are the trusted CA
certificates also stored in the new ou=certificates,ou=system branch and
must be populated? I ask because these days it is hard to trust those
cacerts CAs...

>    The initial idea is to use this trust manager only for replication
> connections, but I would like to know your thoughts about using it
>     in StartTLS and LDAPS connections by default?

Why not.

Kind Regards,

View raw message