directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: attribute ads-certificatepassword shows value in clear text
Date Sat, 28 Jul 2018 01:30:10 GMT


Le 27/07/2018 à 22:44, Pankaj Rathod a écrit :
> Hi Team,
> 
> The attribute *ads-certificatepassword* of entry
> ads-serverid=ldapserver,ou=servers,ads-directoryserviceId=Default,ou=config
> tree shows certificate password in clear text. Is there any way to
> show/store this value in encrypted format?

Sadly, no.

This password is needed to get access to the KeyStore, and the server
should be able to be ran as a daemon, so we can't expect an admin to be
present when the daemon is automatically started to enter this password.

We can't either encrypt this password on disk, without having to ask for
someone to type the encryption password in some way.

Up to a point, you have to accept the idea that the server is to be ran
on a strictly secured location. That means the file containing this
information (ie, the ldif file) has to be read only, and only accessible
to the user running the server, ideally stored on an encrypted filesystem.


I understand this is not ideal, and if you have a better idea, I'll glad
to ear about it.

Thanks !
-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message