On Fri, Jan 10, 2025 at 03:00:07PM +1100, Sean Gallagher wrote:
As it stands, slapd does not check the server name on a client certificate, or client certificate chain. It only exposes the name to the access control rules. slapd will accept a connection from a client with ANY certificate signed by ANY CA in it's list. As such, the safest way to operate is to have a single dedicated CA, probably slapo-autoca, that exclusively signs certificates for valid clients, and use the access control rules to limit what the client can see.
Hi Sean, there is something you omitted since it's obvious to you, but for the sake of clarity I feel I should make it clear for others' sake: with slapd you always configure a different set of CAs for the client (trusted to issue certificates of the servers you connect to) and the server side of the TLS auth (trusted to issue certificates of clients that connect to you).
Any certificates issued by a CA thus trusted will be accepted unless found to be revoked, you are spot on with the rest.
As to WHY the certificates are user-only configuration options, I never found an explanation, but always assumed it was so unprivileged system users could not assume the identity of any system daemons or root. This COULD have been implemented in other ways but it is what it is, and not such a big deal.
Yes, these are considered credentials, you generally do not trust system-wide configuration to store your credentials and as such, these options are ignored.
Regards,