directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 06:09:16 GMT
Hi All,

    I am currently implementing an X509 trust manager that is used for
checking client certificates while using TLS for replication.

    This trust manager can work in any one of the two modes
            1. trust all (default mode)
            2. trust only the specified certificates

    In the 2 mode trust manager loads a set of certificates stored in
DiT under ou=certificates,ou=system (a new branch) [1]
    and checks against this list. The certificate that is not present
in this list but is signed by a known CA will be trusted
automatically.

   The initial idea is to use this trust manager only for replication
connections, but I would like to know your thoughts about using it
    in StartTLS and LDAPS connections by default?

[1] am thinking of replacing the unused
prefNodeName=sysPrefRoot,ou=system branch with
ou=certificates,ou=system, please raise any
     objections you may have w.r.t this change.


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message