Hi Kiran, On 23.10.2012 08:09, Kiran Ayyagari wrote: > Hi All, > > I am currently implementing an X509 trust manager that is used for > checking client certificates while using TLS for replication. > > This trust manager can work in any one of the two modes > 1. trust all (default mode) > 2. trust only the specified certificates
I'm not sure if 'trust all' mode should be the default because then it is likely that users will keep that setting in production. > In the 2 mode trust manager loads a set of certificates stored in > DiT under ou=certificates,ou=system (a new branch) [1] > and checks against this list. The certificate that is not present > in this list but is signed by a known CA will be trusted > automatically. How is the certificate mapped to the user's DN (e.g. for access control)? Do you plan to use the DN of the certificate as user's DN, or is there a mapping to the user entry? Another thing regarding 'signed by a known CA will be trusted': Do you mean all CA in the JDK's cacerts file? Or are the trusted CA certificates also stored in the new ou=certificates,ou=system branch and must be populated? I ask because these days it is hard to trust those cacerts CAs... > The initial idea is to use this trust manager only for replication > connections, but I would like to know your thoughts about using it > in StartTLS and LDAPS connections by default? Why not. Kind Regards, Stefan
