Beat Burgener | NetSuccess GmbH a écrit :
Stefan,
thank you for pointing this out.
BTW: I just found out that I still have 1.5.4 ;-(
BTW2: I personally do not suggest storing the certificate data within
the LDAP directory itself, although there are fields available.
If you have a certificate used for "ssl.xyz.com", used for web, ldap
and so on, compromising the LDAP account or
ApacheDS through LDAP protocol might reveal the private key - or am I
wrong on this?
I know that more and more directories start storing PKI data within
the storage engine (Microsoft ADS does this too),
but somehow I don't feel comfortable with this ...
The question here is much more about giving people a direct access to
LDAP. I'm not sure it should be considered a good idea to expose your
LDAP server to the world.
In many case, you will use your LDAP server as a NIS, requested ony by
IT services, like FTP, DNS, etc.
If you are to use LDAP to store user data, then eiher you protect the
critical data (certificates) by adding ACI (good luck ...), or you
install a second LDAP server (probably a better idea).
M$ has it wrong at the beginning, when they start telling their user
that AD was a LDAP server and that you should use it for your
applications, until they realized how dangerous it was, and they created
AD/AM (of course, there were other reasons like if you FU with AD, you
have little option but reinstaling your domain server ... :/). But M$ AD
is really a NIS server, not a LDAP server, with all the access control
needed to protect such private data as the users certificates.
BTW3: Is there a way to force StartTLS an LDAP connection using port
389 via the ApacheDS configuration?
It's an extended operation, so yes, you can send such a resquest to the
server prior to any operation, on port 389. That's the way everyone
should use LDAP, btw. LDAPS is considered as obsolete.
That's why I use LDAPS, which does not support plain text connections
AFAIK. For LDAP, I don't feel in the position to control that
as the client use StartTLS or not ...
I don't remember is there is a way to tell ADS not to accept plain text
requests when not using LDAPS (Stefan ? Stefan (Z)? )
