directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 09:02:17 GMT
On Tue, Oct 23, 2012 at 1:21 PM, Emmanuel Lécharny <> wrote:
> Le 10/23/12 8:09 AM, Kiran Ayyagari a écrit :
>> Hi All,
>>      I am currently implementing an X509 trust manager that is used for
>> checking client certificates while using TLS for replication.
>>      This trust manager can work in any one of the two modes
>>              1. trust all (default mode)
>>              2. trust only the specified certificates
>>      In the 2 mode trust manager loads a set of certificates stored in
>> DiT under ou=certificates,ou=system (a new branch) [1]
> Will it be a separate partition ?
no, this is just a branch under ou=system partition
>>      and checks against this list. The certificate that is not present
>> in this list but is signed by a known CA will be trusted
>> automatically.
>>     The initial idea is to use this trust manager only for replication
>> connections, but I would like to know your thoughts about using it
>>      in StartTLS and LDAPS connections by default?
> Well, usually, we fetch the certificate from the user entry, so we only have
> one place to store every piece of information relative to a user. Typically,
> there is no specific reason to not store the public key certificate of a
> user somewhere else than in the user's entry.
yeah, a common area where all trusted certificates are stored is much easier to
handle (assuming the case where not all user entries contain
certificates unless in a PKI like env.)
> Now, we can certainly imagine a situation where you want to gather may
> certificates in a simple place.
> Keep in mind we can also add an index on certificate (although we will have
> to write a specific matching rule to the associated comparator in order to
> avoid doing a plain byte[] comparison of certificates. I'm sorry, but here I
> have not enough knowledge to foresee all the consequences of such a
> modification, I hav to do my homework :)
> Anyway, this is certainly an area we have to investigate !
currently searching is not the main concern here, but I agree with your point
>> [1] am thinking of replacing the unused
>> prefNodeName=sysPrefRoot,ou=system branch with
>> ou=certificates,ou=system, please raise any
>>       objections you may have w.r.t this change.
> Well, I'd rather keep this branch, and create a new one atm. We can delete
> the prefNodeName later if needed.
> Btw, will it impct the configuration ?
no, this is branch is not in use anywhere except in some tests while
comparing the DNs of search results
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny

Kiran Ayyagari

View raw message