lux-integ wrote:
I have been searching webpages for guidance on using a smartcard ( also know as an HSM ) for storing passwords for an ldap database on a linux system.
This would include for instance how would the userPassword (attrribute) be specified - i.e. how to specify the userPassword to read the PIN/SO- PIN/PUK{whatever} of the HSM/smart-card etc etc ??
It's not entirely clear what you want to achieve.
Which risks do you want to address?
1. For rootpw in configuration you should simply avoid setting it.
2. For protecting TLS client and server certificates' private keys you could e.g. use PKCS#11 modules with OpenSSL (pkcs11 engine) or libnss. Never did that myself though and it will be slow for most smartcard hardware. And it will be quite some work to implement a robust setup.
3. When using LDAP simple bind the client sends the password in clear and slapd hashes it and compares it to hashed 'userPassword' value(s).
4. In case of SASL mechanisms which require 'userPassword' value(s) in clear you would have to implement a reversible encryption password storage schema in an OpenLDAP overlay and adapt some other layer/components to correctly use it.
=> much more details needed
Ciao, Michael.