From users-return-2926-apmail-directory-users-archive=directory.apache.org@directory.apache.org Wed Jan 06 14:46:53 2010 Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 43624 invoked from network); 6 Jan 2010 14:46:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 6 Jan 2010 14:46:53 -0000 Received: (qmail 92517 invoked by uid 500); 6 Jan 2010 14:46:52 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 92491 invoked by uid 500); 6 Jan 2010 14:46:52 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 92480 invoked by uid 99); 6 Jan 2010 14:46:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 14:46:52 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates 209.85.219.225 as permitted sender) Received: from [209.85.219.225] (HELO mail-ew0-f225.google.com) (209.85.219.225) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 14:46:41 +0000 Received: by ewy25 with SMTP id 25so21190595ewy.25 for ; Wed, 06 Jan 2010 06:46:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=WlzrzxPXBgG4sco07ZpInFmTLBrYJyqd1i1vlunoldg=; b=sK/y4Hk6ONvrjuTCaxdUhy1XyP+RjdqCs1RMRzBgpbPm33CAIIvswPgxRkjtK1J0zp J4lmGjXv1zaaT3hi8s9F94bM/Vywo9Mc/1HmPCLqhT3P5lBOiXsp3hv/37Am5EtBoL06 E3SqIUFpPZIVsGDRKOLwlAAbgxho+Nx/VCW5g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=gt3S1Tq29B1B0kR5LzDk2ibwtT2b94y31HrwQKaczqUuNqVDbIkeplOyiQfRv/EJ08 qcRGRc/IjkrZYXy0yohzLYPk4hR6MyxFtJ8lQOOamb7UfYmOheTjo9hG6iygB2vIRnIP CpAlTo6wplewj3MMAzvDCZXy0JpUZ+tFr5u/g= Received: by 10.213.51.200 with SMTP id e8mr2645549ebg.79.1262789181125; Wed, 06 Jan 2010 06:46:21 -0800 (PST) Received: from emmanuel-lecharnys-MacBook-Pro.local (lon92-10-78-226-4-211.fbx.proxad.net [78.226.4.211]) by mx.google.com with ESMTPS id 15sm14126474ewy.4.2010.01.06.06.46.19 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 06 Jan 2010 06:46:19 -0800 (PST) Message-ID: <4B44A23A.3020500@gmail.com> Date: Wed, 06 Jan 2010 15:46:18 +0100 From: =?UTF-8?B?RW1tYW51ZWwgTMKOY2hhcm55?= User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: users@directory.apache.org Subject: Re: [ApacheDS] Ceritficate for StartTLS References: <4B4458A4.5090005@iway.ch> <4B4459BA.5060201@netsuccess.ch> <4B445B89.8050804@iway.ch> <4B446C28.2010901@netsuccess.ch> <4B44743B.1070105@iway.ch> <4B447B3A.7020802@netsuccess.ch> <4B447FCE.2080202@iway.ch> <4B448203.4090102@apache.org> <4B449D84.9070003@netsuccess.ch> In-Reply-To: <4B449D84.9070003@netsuccess.ch> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Beat Burgener | NetSuccess GmbH a écrit : > Stefan, > > thank you for pointing this out. > > BTW: I just found out that I still have 1.5.4 ;-( > > BTW2: I personally do not suggest storing the certificate data within > the LDAP directory itself, although there are fields available. > If you have a certificate used for "ssl.xyz.com", used for web, ldap > and so on, compromising the LDAP account or > ApacheDS through LDAP protocol might reveal the private key - or am I > wrong on this? > I know that more and more directories start storing PKI data within > the storage engine (Microsoft ADS does this too), > but somehow I don't feel comfortable with this ... The question here is much more about giving people a direct access to LDAP. I'm not sure it should be considered a good idea to expose your LDAP server to the world. In many case, you will use your LDAP server as a NIS, requested ony by IT services, like FTP, DNS, etc. If you are to use LDAP to store user data, then eiher you protect the critical data (certificates) by adding ACI (good luck ...), or you install a second LDAP server (probably a better idea). M$ has it wrong at the beginning, when they start telling their user that AD was a LDAP server and that you should use it for your applications, until they realized how dangerous it was, and they created AD/AM (of course, there were other reasons like if you FU with AD, you have little option but reinstaling your domain server ... :/). But M$ AD is really a NIS server, not a LDAP server, with all the access control needed to protect such private data as the users certificates. > > BTW3: Is there a way to force StartTLS an LDAP connection using port > 389 via the ApacheDS configuration? It's an extended operation, so yes, you can send such a resquest to the server prior to any operation, on port 389. That's the way everyone should use LDAP, btw. LDAPS is considered as obsolete. > That's why I use LDAPS, which does not support plain text connections > AFAIK. For LDAP, I don't feel in the position to control that > as the client use StartTLS or not ... I don't remember is there is a way to tell ADS not to accept plain text requests when not using LDAPS (Stefan ? Stefan (Z)? )