On Tue, Oct 23, 2012 at 1:21 PM, Emmanuel Lécharny <[email protected]> wrote: > Le 10/23/12 8:09 AM, Kiran Ayyagari a écrit : > >> Hi All, >> >> I am currently implementing an X509 trust manager that is used for >> checking client certificates while using TLS for replication. >> >> This trust manager can work in any one of the two modes >> 1. trust all (default mode) >> 2. trust only the specified certificates >> >> In the 2 mode trust manager loads a set of certificates stored in >> DiT under ou=certificates,ou=system (a new branch) [1] > > > Will it be a separate partition ? > no, this is just a branch under ou=system partition > >> and checks against this list. The certificate that is not present >> in this list but is signed by a known CA will be trusted >> automatically. >> >> The initial idea is to use this trust manager only for replication >> connections, but I would like to know your thoughts about using it >> in StartTLS and LDAPS connections by default? > > Well, usually, we fetch the certificate from the user entry, so we only have > one place to store every piece of information relative to a user. Typically, > there is no specific reason to not store the public key certificate of a > user somewhere else than in the user's entry. > yeah, a common area where all trusted certificates are stored is much easier to handle (assuming the case where not all user entries contain certificates unless in a PKI like env.) > Now, we can certainly imagine a situation where you want to gather may > certificates in a simple place. > > Keep in mind we can also add an index on certificate (although we will have > to write a specific matching rule to the associated comparator in order to > avoid doing a plain byte[] comparison of certificates. I'm sorry, but here I > have not enough knowledge to foresee all the consequences of such a > modification, I hav to do my homework :) > > Anyway, this is certainly an area we have to investigate ! > currently searching is not the main concern here, but I agree with your point >> >> [1] am thinking of replacing the unused >> prefNodeName=sysPrefRoot,ou=system branch with >> ou=certificates,ou=system, please raise any >> objections you may have w.r.t this change. > > Well, I'd rather keep this branch, and create a new one atm. We can delete > the prefNodeName later if needed. > > Btw, will it impct the configuration ? > no, this is branch is not in use anywhere except in some tests while comparing the DNs of search results > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com >
-- Kiran Ayyagari http://keydap.com
