Christopher Paul wrote: > On 3/12/22 4:26 AM, Howard Chu wrote: >> The LDAP Password Policy spec requires userPassword to store only 1 value. > But simple auth will still work for all of them if someone manually adds > others right?
Yes, if you're able to add others they will all be checked on a Bind attempt. >> You can generate short lifetime certs easily enough but keys tend to still >> be long lived. Likewise in Kerberos >> where tickets are short lifetime, but you still use a longlived password to >> get the initial TGT. >> >> You can use the autoCA overlay in OpenLDAP to streamline certificate >> generation for all of your users and set >> them to arbitrarily long or short lifetimes. No matter what security >> mechanism you develop, the key management >> problem remains unchanged. > > But if you're swapping out the cert, you can optionally re-key at the same > time, so I think we add to the list of TLS client best practice: re-key when > you > re-cert. Right? There are no great costs to re-keying, unless I am missing > something. Generating key pairs tends to be the most compute-intensive part of any of this, so usually sites try to do it only once per user. Though that may be more of a consideration for RSA and not as significant for ECC based pubkey schemes. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
