On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs
Just Alex :) (getting used to google mail) Alexander reminds me of
being in trouble from the parents
I don't know if they only get read at startup or not... but it does bring up the
I would like to have another layer of protection on the machine /
certificates. I would have thought it would have been a quick and easy
question - yes I could go and read the src, but.
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the
user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn't or you don't
want to have access to these files - you /really should/ fix that issue first. Then trust
the file system permissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certs password protected,
and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you know the answer. Just get
used to restarting/starting slapd being a needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of
Sent: Monday, March 22, 2010 11:21 PM
Subject: Fwd: tls private key
THought I would re ask, do certificates only get read at start up, I store my cert's
with password, can i unpassword protect and then start slapd and then remove the
unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
---------- Forwarded message ----------
From: Alex Samad <alex(a)samad.com.au>
Date: Sat, Jan 16, 2010 at 6:03 PM
Subject: tls private key
I am setting up my sync repl to use certificates, my problem is I don't want to leave
my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie
can i unencrypt the file start slapd and then remove the un encrypted file ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.