Turbo Fredriksson wrote:
On 9 Apr 2017, at 11:29, Howard Chu <hyc(a)symas.com> wrote:
> Turbo Fredriksson wrote:
>> On 9 Apr 2017, at 04:06, Howard Chu <hyc(a)symas.com> wrote:
>> Only difference might be that the local FS isn’t available _outside_ the host, a
> As soon as a host offers something like ssh, then that distinction is gone too.
> Moreover, a secure mechanism for distributing private keys to users is required but
> ever specifies how to do that. Certainly LDAP/TLS is more manageable than sneakernet
> this is more bootstrappable.
Yeah, I’ve been struggling like crazy about this the last couple of months.
There’s many scripts and some products that can be/handle a CA, but
no one seems to have thought about the actual distribution of the result(s).
Or how to restrict queries, distribution and what type of cert is/can be requested.
And every link I’ve ever seen about certs, “then copy it securely to the
destination”. But no wording on HOW to do that or how to script it (in a
more .. “automated” fashion).
Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE
Indeed, there's no reason for it.
So if you can do something like this, and leave the ACL/policies etc
to the admin,
using existing functionality (ACL/ACI/ppolicy or whatever), I’d be a very happy man! :)
This is coming along now...
Are you actually talking about OpenLDAP being a “CA” as well? As in, being able
to create certificates by requests, or are you talking about OpenLDAP “only”
being the … “backend-storage” for such a tool?
The autoca overlay turns slapd into a CA. It can generate certificates for any
users (and servers) in the directory. Please read the slapo-autoca(5) manpage
for more info.
For bootstrapping purposes I'm now extending back-config to be able to use
certificates/keys stored directly in cn=config. The autoca overlay will be
extended to store its generated CA cert in cn=config, so that a slapd can
immediately support TLS as soon as the overlay is used (without requiring
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/