New subject: [Issue 9315] FR: Support SPIFFE Certificate Provisioner

14 Aug 2020


      https://bugs.openldap.org/show_bug.cgi?id=9315
Issue ID: 9315
           Summary: FR: Support SPIFFE Certificate Provisioner
           Product: OpenLDAP
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: libraries
          Assignee: bugs@openldap.org
          Reporter: dar@xoe.solutions
  Target Milestone: ---
Created attachment 754
  --> https://bugs.openldap.org/attachment.cgi?id=754&action=edit
A SPIFFE samle certificate
SPIFFE is a protocol for attesting workload identities.
It implements a pull based workflow where clients request ad-hoc certificates
about their identity from a unix domain socket.
While there is a helper that can wrap clients it is uncertain
how certificate rolls, which happen by default every few minutes,
shall be signalled to the ldap client: https://github.com/spiffe/spiffe-helper
I assume there is no signal which induces graceful reloading of the
certificates.
Therefore, it might be considerable adding direct spiffe support
to the ldap client. See example:
https://github.com/spiffe/c-spiffe/blob/master/c-spiffe.cc
Please find attached a spiffe sample cert, for mere information. Note it does
convey identity (exclusively) through SAN, which currently seems not be
supported in OpenLDAP. I'm going to open another issue for that.
-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 9315] New: FR: Support SPIFFE Certificate Provisioner