There's one sure fire way to find out...
Start it up with a syncrepl, then move the private key, and see if it syncs fine both ways.
Wait a day or so, and make a change and see if that synced.
If I had to put a dollar on it, if guess that it doesn't need the key after startup. I could be horribly wrong though - I'm not a dev, just a user of the software.
:)
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Thu Mar 25 18:44:47 2010
Subject: Re: tls private key
HI
On Fri, Mar 26, 2010 at 12:09 PM, Tyler Gates <tgates81(a)gmail.com> wrote:
> Alex,
> encrypting the private key really isn't necessary and I highly doubt it
> would work for your application nor be worth the hassel. Securing via file
> permisssions as mentioned previously is really the best way to tackle this.
> Think of 'other layers of protection' being firewalls, intrusion detection,
> restricted logins, chroot jails, etc., etc...
yep go those, firewalls, permissions etc.
I am not sure why every one is against me trying to use another layer
of protection, just because I permission it as root.root 440, doesn't
mean its safe. I could make it safer, but unecrypting the private key,
starting slapd and removing the unecrypted file.
Or thing of it another way, my private key could be on a usb key, that
i insert into the machine on start up and remove once slapd has
started.
I have seen secure machine compromised before, somebody installed cvs
forgot to change the cvs userid password, root hack and a remote user
had access to the system. Some times people do silly things
on my laptop - I encrypt the fs and the swap space and my gpg key have
userid/passwords and my certs have userid password protection, like to
do the same for my ldap setup as well :)
I understand the reasons for encrypting and signing packets or
information, just asking if slapd needs access to the private key
after it has read the file on startup.
> Encryption really works best for UDP like transportation like email where
> you cannot guarantee the recipient is the only person able to 'see' the
> document ;)
>
[snip]
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.