Christopher Paul wrote:
Hello openldap-technical,
I'm wondering what the OpenLDAP-technical World thinks about LDAP authentication secrets. A couple observations and questions:
- RFC 4519 allows userPassword to be multi-valued and it gives some rationale which is logical, but it also seems to lack imagination. There seem to be more possibilities for abuse by defining attributeType this way than legitimate use cases. Is there any way to force userPassword to be single-valued? Has anyone attempted this?
The LDAP Password Policy spec requires userPassword to store only 1 value.
- Assuming you decide to ditch passwords, and use TLS EXTERNAL, you still have the problem of storing the key, and the risk that if the key is stolen, than someone other than you can authenticate as you. Of course store it on storage with permissions and ownership of files set correctly. That goes without being said, but storage is not always perfectly secure or private, so let's not trust it completely. Short lifetimes would be one mitigation. And CRLs of course. What else do people do?
You can generate short lifetime certs easily enough but keys tend to still be long lived. Likewise in Kerberos where tickets are short lifetime, but you still use a longlived password to get the initial TGT.
You can use the autoCA overlay in OpenLDAP to streamline certificate generation for all of your users and set them to arbitrarily long or short lifetimes. No matter what security mechanism you develop, the key management problem remains unchanged.
- Is there anyway to have ldap* commands read the key in from an environment variable or call to gpg/secrets store /etc? Funky alias / bash-wrapper yeah but I'm looking for something less clunky.
The OpenLDAP software doesn't even touch any strong secrets - they're all managed by the relevant TLS / Kerberos / whatever library, so this question should be directed to those packages.