On 3/12/22 4:26 AM, Howard Chu wrote:
The LDAP Password Policy spec requires userPassword to store only 1 value.
But simple auth will still work for all of them if someone manually adds others right?
You can generate short lifetime certs easily enough but keys tend to still be long lived. Likewise in Kerberos where tickets are short lifetime, but you still use a longlived password to get the initial TGT.
You can use the autoCA overlay in OpenLDAP to streamline certificate generation for all of your users and set them to arbitrarily long or short lifetimes. No matter what security mechanism you develop, the key management problem remains unchanged.
But if you're swapping out the cert, you can optionally re-key at the same time, so I think we add to the list of TLS client best practice: re-key when you re-cert. Right? There are no great costs to re-keying, unless I am missing something.
- Is there anyway to have ldap* commands read the key in from an environment variable or call to gpg/secrets store /etc? Funky alias / bash-wrapper yeah but I'm looking for something less clunky.
The OpenLDAP software doesn't even touch any strong secrets - they're all managed by the relevant TLS / Kerberos / whatever library, so this question should be directed to those packages.
Thanks for the redirect, Howard. I will ask.