Hello openldap-technical,
I'm wondering what the OpenLDAP-technical World thinks about LDAP
authentication secrets. A couple observations and questions:
1. RFC 4519 allows userPassword to be multi-valued and it gives some
rationale which is logical, but it also seems to lack imagination.
There seem to be more possibilities for abuse by defining
attributeType this way than legitimate use cases. Is there any way
to force userPassword to be single-valued? Has anyone attempted this?
2. Assuming you decide to ditch passwords, and use TLS EXTERNAL, you
still have the problem of storing the key, and the risk that if the
key is stolen, than someone other than you can authenticate as you.
Of course store it on storage with permissions and ownership of
files set correctly. That goes without being said, but storage is
not always perfectly secure or private, so let's not trust it
completely. Short lifetimes would be one mitigation. And CRLs of
course. What else do people do?
3. Is there anyway to have ldap* commands read the key in from an
environment variable or call to gpg/secrets store /etc? Funky alias
/ bash-wrapper yeah but I'm looking for something less clunky.
many thanks,
Chris Paul | Rex Consulting | https://www.rexconsulting.net
