directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 09:26:49 GMT
On Tue, Oct 23, 2012 at 1:44 PM, Pierre-Arnaud Marcelot <> wrote:
> Hi Kiran,
> On 23 oct. 2012, at 08:09, Kiran Ayyagari <> wrote:
> Hi All,
>    I am currently implementing an X509 trust manager that is used for
> checking client certificates while using TLS for replication.
>    This trust manager can work in any one of the two modes
>            1. trust all (default mode)
>            2. trust only the specified certificates
> Sounds cool. :)
>    In the 2 mode trust manager loads a set of certificates stored in
> DiT under ou=certificates,ou=system (a new branch) [1]
> Sorry to hijack a little the original topic here, but I think its related.
> I really think we should get rid of the system partition, it has no use and
> the only interesting thing it still holds is the default/admin user.
we discussed about this several times, but later I started to think
that we should keep it

let me state the reasons that support this in my view:

  o this serves as a play ground for users without having to go
through the creation of a partition
     and multiple restarts before he can actually inject an entry and use it

  o parts of the system partition comes with default protection using
ACI and this is also a nice to
     have in out of the box installation

  o the system partition is very tightly coupled with the internals
(though _can_ be changed it requires substantial
     amount of effort)

> Everything that is configurable (including the default/admin user) has its
> place in the configuration partition.
> That includes the certificates you're talking about.
other than the feature that it can be edited using a text editor am
really not comfortable with this
config LDIF partition, cause it is quite inefficient in the way it
handles updates, a complete re-write
after each modification is making it vulnerable to corruption (when I
try applying an ACI it takes way too long to
complete and leaves the partition corrupted if the process is killed
in the middle)
The point am trying to make is adding certificates to this partition
makes the backing LDIF file grow in large size
making any modify operation even more slow.
> ATM, the default password is not included in the configuration and it makes
> it uncomfortable having to first launch the server to be able to edit this
> value.
currently the config.ldif is not written to disk unless the server is
started for the very first time
> It would be the same thing for those certificates.
adding a certificate content in an LDIF entry is quite involved, I
would personally prefer the server to take care
of it instead of manually encoding and adding in config.ldif
> I think the configuration partition should really be the place where we
> store everything that can be configured.
> Once that's done, the system partition has no reason to exist anymore
hope I have made my view clear in the above lines about keeping the
system partition :)
>    and checks against this list. The certificate that is not present
> in this list but is signed by a known CA will be trusted
> automatically.
>   The initial idea is to use this trust manager only for replication
> connections, but I would like to know your thoughts about using it
>    in StartTLS and LDAPS connections by default?
> Sounds like a good idea to me.
> There's a related issue on the API as well (with some kind of a patch
> proposal).
> Regards,
> Pierre-Arnaud
> [1] am thinking of replacing the unused
> prefNodeName=sysPrefRoot,ou=system branch with
> ou=certificates,ou=system, please raise any
>     objections you may have w.r.t this change.
> --
> Kiran Ayyagari

Kiran Ayyagari

View raw message