Re: secrets storage: userPassword,TLS keys best practices

On 3/12/22 00:02, Christopher Paul wrote:

1. RFC 4519 allows userPassword to be multi-valued and it gives some rationale which is logical, but it also seems to lack imagination. There seem to be more possibilities for abuse by defining attributeType this way than legitimate use cases. Is there any way to force userPassword to be single-valued? Has anyone attempted this?

You cannot modify the standard schema. But you can use overlay slapo-constraint to limit the number of userPassword values to 1.

2. Assuming you decide to ditch passwords, and use TLS EXTERNAL, you still have the problem of storing the key, and the risk that if the key is stolen, than someone other than you can authenticate as you.

You're speaking about TLS client certs? In theory you could use libldap linked to OpenSSL with PKCS#11 support. But even if you manage to get it working, the client setup is complicated and the usual client software will not easily work with that.

3. Is there anyway to have ldap* commands read the key in from an environment variable or call to gpg/secrets store /etc? Funky alias / bash-wrapper yeah but I'm looking for something less clunky.

Which users use the LDAP client? systemd has a directive LoadCredential= which might also somewhat help.

But all that depends on your specific use-case.

Ciao, Michael.