https://bugs.openldap.org/show_bug.cgi?id=9315
Issue ID: 9315 Summary: FR: Support SPIFFE Certificate Provisioner Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: dar@xoe.solutions Target Milestone: ---
Created attachment 754 --> https://bugs.openldap.org/attachment.cgi?id=754&action=edit A SPIFFE samle certificate
SPIFFE is a protocol for attesting workload identities.
It implements a pull based workflow where clients request ad-hoc certificates about their identity from a unix domain socket.
While there is a helper that can wrap clients it is uncertain how certificate rolls, which happen by default every few minutes, shall be signalled to the ldap client: https://github.com/spiffe/spiffe-helper
I assume there is no signal which induces graceful reloading of the certificates.
Therefore, it might be considerable adding direct spiffe support to the ldap client. See example: https://github.com/spiffe/c-spiffe/blob/master/c-spiffe.cc
Please find attached a spiffe sample cert, for mere information. Note it does convey identity (exclusively) through SAN, which currently seems not be supported in OpenLDAP. I'm going to open another issue for that.