No really good ideas come to mind. I have a patch for libldap to explicitly set a callback to supply the key password, it won't make it into 2.4.13 but probably will be in 2.4.14. I will probably add two options to slapd,
Hi,
Did this make it into 2.4.14? I've checked the CHANGES and can't see anything mentioned re libldap?
Thanks.
analogous to the back-bdb options to set the DB encryption key. (One option to set the key directly as an argument of the config option, one option to read the key from an arbitrary file.) Obviously for automated startup the plaintext of the key must be accessible to the slapd somewhere, and that means it is also accessible to potential intruders. This is just a fact of life. You can make key retrieval more tedious by hiding it behind other layers of encryption, but ultimately the keys to each of those layers must also be accessible, otherwise slapd itself cannot use them.
There are "clever" schemes to hide startup keys, but they tend to make
restarts difficult. E.g., store keys on a mountpoint that you remount some other filesystem onto after the boot sequence has completed and all dependent daemons have started. Keep a file handle open on the new filesystem, to prevent it from being dismounted without rebooting the system. It'll fool a lot of intruders, but you won't be able to restart individual daemons without rebooting the machine.
Akke Bengtsson
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Friday, February 20, 2009 9:20 AM +0000 ghenry@OpenLDAP.org wrote:
No really good ideas come to mind. I have a patch for libldap to explicitly set a callback to supply the key password, it won't make it into 2.4.13 but probably will be in 2.4.14. I will probably add two options to slapd,
Hi,
Did this make it into 2.4.14? I've checked the CHANGES and can't see anything mentioned re libldap?
Not so far. There probably should be an ITS filed on this by Howard.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Friday, February 20, 2009 9:20 AM +0000 ghenry@OpenLDAP.org wrote:
No really good ideas come to mind. I have a patch for libldap to explicitly set a callback to supply the key password, it won't make it into 2.4.13 but probably will be in 2.4.14. I will probably add two options to slapd,
Hi,
Did this make it into 2.4.14? I've checked the CHANGES and can't see anything mentioned re libldap?
Not so far. There probably should be an ITS filed on this by Howard.
I had to postpone it since we did the TLS code restructuring. I also don't yet know how to do the equivalent for GnuTLS, will have to do some other research before addressing this again.
----- "Howard Chu" hyc@symas.com wrote:
Quanah Gibson-Mount wrote:
--On Friday, February 20, 2009 9:20 AM +0000 ghenry@OpenLDAP.org
wrote:
No really good ideas come to mind. I have a patch for libldap to explicitly set a callback to supply the key password, it won't make it into 2.4.13 but probably will be in 2.4.14. I will probably add two options to
slapd,
Hi,
Did this make it into 2.4.14? I've checked the CHANGES and can't
see
anything mentioned re libldap?
Not so far. There probably should be an ITS filed on this by
Howard.
I had to postpone it since we did the TLS code restructuring. I also don't yet know how to do the equivalent for GnuTLS, will have to do some other research before addressing this again.
Thanks for the update.
openldap-technical@openldap.org
-
Gavin Henry -
ghenry@OpenLDAP.org -
Howard Chu -
Quanah Gibson-Mount