directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 19:10:13 GMT
On Wed, Oct 24, 2012 at 12:04 AM, Stefan Seelmann
<> wrote:
> Hi Kiran,
> On 23.10.2012 08:09, Kiran Ayyagari wrote:
>> Hi All,
>>     I am currently implementing an X509 trust manager that is used for
>> checking client certificates while using TLS for replication.
>>     This trust manager can work in any one of the two modes
>>             1. trust all (default mode)
>>             2. trust only the specified certificates
> I'm not sure if 'trust all' mode should be the default because then it
> is likely that users will keep that setting in production.
>>     In the 2 mode trust manager loads a set of certificates stored in
>> DiT under ou=certificates,ou=system (a new branch) [1]
>>     and checks against this list. The certificate that is not present
>> in this list but is signed by a known CA will be trusted
>> automatically.
> How is the certificate mapped to the user's DN (e.g. for access
> control)? Do you plan to use the DN of the certificate as user's DN, or
> is there a mapping to the user entry?
no, the certificate is not mapped to a user's DN
> Another thing regarding 'signed by a known CA will be trusted': Do you
> mean all CA in the JDK's cacerts file? Or are the trusted CA
> certificates also stored in the new ou=certificates,ou=system branch and
> must be populated? I ask because these days it is hard to trust those
> cacerts CAs...
no, not duplicating them in the DiT, but the default CA certs that come with JRE
yes, hard to trust but this is atleast the base line to begin with the 'trust'
>>    The initial idea is to use this trust manager only for replication
>> connections, but I would like to know your thoughts about using it
>>     in StartTLS and LDAPS connections by default?
> Why not.
one issue is that clients cannot connect with a random self signed
cert anymore (assuming 'trust all' flag is turned off)
> Kind Regards,
> Stefan

Kiran Ayyagari

View raw message