On 3/12/22 4:26 AM, Howard Chu wrote:
The LDAP Password Policy spec requires userPassword to store only 1 value.
But simple auth will still work for all of them if someone manually adds
others right?
You can generate short lifetime certs easily enough but keys tend to still be
long lived. Likewise in Kerberos
where tickets are short lifetime, but you still use a longlived password to get
the initial TGT.
You can use the autoCA overlay in OpenLDAP to streamline certificate generation
for all of your users and set
them to arbitrarily long or short lifetimes. No matter what security mechanism
you develop, the key management
problem remains unchanged.
But if you're swapping out the cert, you can optionally re-key at the
same time, so I think we add to the list of TLS client best practice:
re-key when you re-cert. Right? There are no great costs to re-keying,
unless I am missing something.
3. Is there anyway to have ldap* commands read the key in from an environment
variable or call to gpg/secrets store /etc? Funky alias / bash-wrapper yeah but
I'm looking for something less clunky.
The OpenLDAP software doesn't even touch any strong secrets - they're all
managed by the relevant TLS / Kerberos / whatever library,
so this question should be directed to those packages.
Thanks for the redirect, Howard. I will ask.
