Le 10/23/12 8:09 AM, Kiran Ayyagari a écrit :
Hi All,
I am currently implementing an X509 trust manager that is used for
checking client certificates while using TLS for replication.
This trust manager can work in any one of the two modes
1. trust all (default mode)
2. trust only the specified certificates
In the 2 mode trust manager loads a set of certificates stored in
DiT under ou=certificates,ou=system (a new branch) [1]
Will it be a separate partition ?
and checks against this list. The certificate that is not present
in this list but is signed by a known CA will be trusted
automatically.
The initial idea is to use this trust manager only for replication
connections, but I would like to know your thoughts about using it
in StartTLS and LDAPS connections by default?
Well, usually, we fetch the certificate from the user entry, so we only
have one place to store every piece of information relative to a user.
Typically, there is no specific reason to not store the public key
certificate of a user somewhere else than in the user's entry.
Now, we can certainly imagine a situation where you want to gather may
certificates in a simple place.
Keep in mind we can also add an index on certificate (although we will
have to write a specific matching rule to the associated comparator in
order to avoid doing a plain byte[] comparison of certificates. I'm
sorry, but here I have not enough knowledge to foresee all the
consequences of such a modification, I hav to do my homework :)
Anyway, this is certainly an area we have to investigate !
[1] am thinking of replacing the unused
prefNodeName=sysPrefRoot,ou=system branch with
ou=certificates,ou=system, please raise any
objections you may have w.r.t this change.
Well, I'd rather keep this branch, and create a new one atm. We can
delete the prefNodeName later if needed.
Btw, will it impct the configuration ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
