directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: [ApacheDS] adding a global trust manager
Date Tue, 23 Oct 2012 08:14:01 GMT
Hi Kiran,

On 23 oct. 2012, at 08:09, Kiran Ayyagari <kayyagari@apache.org> wrote:

> Hi All,
> 
>    I am currently implementing an X509 trust manager that is used for
> checking client certificates while using TLS for replication.
> 
>    This trust manager can work in any one of the two modes
>            1. trust all (default mode)
>            2. trust only the specified certificates

Sounds cool. :)

>    In the 2 mode trust manager loads a set of certificates stored in
> DiT under ou=certificates,ou=system (a new branch) [1]

Sorry to hijack a little the original topic here, but I think its related.
I really think we should get rid of the system partition, it has no use and the only interesting
thing it still holds is the default/admin user.

Everything that is configurable (including the default/admin user) has its place in the configuration
partition.
That includes the certificates you're talking about.

ATM, the default password is not included in the configuration and it makes it uncomfortable
having to first launch the server to be able to edit this value.
It would be the same thing for those certificates.

I think the configuration partition should really be the place where we store everything that
can be configured.
Once that's done, the system partition has no reason to exist anymore

WDYT?

>    and checks against this list. The certificate that is not present
> in this list but is signed by a known CA will be trusted
> automatically.
> 
>   The initial idea is to use this trust manager only for replication
> connections, but I would like to know your thoughts about using it
>    in StartTLS and LDAPS connections by default?

Sounds like a good idea to me.

There's a related issue on the API as well (with some kind of a patch proposal).
https://issues.apache.org/jira/browse/DIRAPI-72

Regards,
Pierre-Arnaud

> [1] am thinking of replacing the unused
> prefNodeName=sysPrefRoot,ou=system branch with
> ou=certificates,ou=system, please raise any
>     objections you may have w.r.t this change.
> 
> 
> -- 
> Kiran Ayyagari
> http://keydap.com


Mime
View raw message