directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel LŽcharny <elecha...@gmail.com>
Subject Re: [ApacheDS] Ceritficate for StartTLS
Date Wed, 06 Jan 2010 14:46:18 GMT
Beat Burgener | NetSuccess GmbH a écrit :
> Stefan,
>
> thank you for pointing this out.
>
> BTW: I just found out that I still have 1.5.4   ;-(
>
> BTW2: I personally do not suggest storing the certificate data within 
> the LDAP directory itself, although there are fields available.
> If you have a certificate used for "ssl.xyz.com", used for web, ldap 
> and so on, compromising the LDAP account or
> ApacheDS through LDAP protocol might reveal the private key - or am I 
> wrong on this?
> I know that more and more directories start storing PKI data within 
> the storage engine (Microsoft ADS does this too),
> but somehow I don't feel comfortable with this ...
The question here is much more about giving people a direct access to 
LDAP. I'm not sure it should be considered a good idea to expose your 
LDAP server to the world.

In many case, you will use your LDAP server as a NIS, requested ony by 
IT services, like FTP, DNS, etc.

If you are to use LDAP to store user data, then eiher you protect the 
critical data (certificates) by adding ACI (good luck ...), or you 
install a second LDAP server (probably a better idea).

M$ has it wrong at the beginning, when they start telling their user 
that AD was a LDAP server and that you should use it for your 
applications, until they realized how dangerous it was, and they created 
AD/AM (of course, there were other reasons like if you FU with AD, you 
have little option but reinstaling your domain server ... :/). But M$ AD 
is really a NIS server, not a LDAP server, with all the access control 
needed to protect such private data as the users certificates.
>
> BTW3: Is there a way to force StartTLS an LDAP connection using port 
> 389 via the ApacheDS configuration?
It's an extended operation, so yes, you can send such a resquest to the 
server prior to any operation, on port 389. That's the way everyone 
should use LDAP, btw. LDAPS is considered as obsolete.
> That's why I use LDAPS, which does not support plain text connections 
> AFAIK. For LDAP, I don't feel in the position to control that
> as the client use StartTLS or not ...

I don't remember is there is a way to tell ADS not to accept plain text 
requests when not using LDAPS (Stefan ? Stefan (Z)? )


Mime
View raw message