<quote who="hyc@symas.com">

ghenry@suretecsystems.com wrote:

...

In another step towards 100% remote admin/config, could we store StartTLS certs in the directory for slapd usage, replacing the need for:

TLS* config path hardcoding.?

One step at a time...

Sure, I just wanted to have this wish recorded somewhere ;-)

Ordinarily I would store certs in an entry with the same DN as the cert. This would mean creating a directory entry for your server name, as well as directory entries for any client certs you wanted to use. That's probably not the ideal way to go here.

We could store the certs directly, in attributes under cn=config. We could also just store DNs in the config attributes, pointing to certs in some other database entries.

Understood.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/