[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication 'credentials'

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: OpenLDAP replication 'credentials'
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Wed, 7 May 2008 13:57:32 -0600
Cc: openldap-software@openldap.org, Michael Ströder <michael@stroeder.com>
In-reply-to: <1igla89.5g49cy16hjol5M%manu@netbsd.org>
References: <1igla89.5g49cy16hjol5M%manu@netbsd.org>
User-agent: Alpine 1.00 (BSO 882 2007-12-20)

On Wed, 7 May 2008, Emmanuel Dreyfus wrote:

Michael Ströder <michael@stroeder.com> wrote:

Anyway either the private key has to be stored somewhere 1. in clear or
2. password-protected. 2. would require manual admin interaction during
startup. (I don't know whether that's supported at all.)

Sure, but it's not a shared secret.


I'm not sure what you mean by that.

In both cases--setups using passwords and setups using TLS client certs--the one end has enough info to verify authentications (but not to forge them) while the other has a file that contains enough data to generate (and forge) authentications. The name of the file containing that data is different, and the size of that data is different, but if you can read that file, you can forge connections.


Philip Guenther

Follow-Ups:
- Re: OpenLDAP replication 'credentials'
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: OpenLDAP replication 'credentials'
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: OpenLDAP replication 'credentials'
Next by Date: Re: slapo-rwm and rewriteRules
Index(es):
- Chronological
- Thread