I see there is much work on the LDAP schema side to support PKE and
such tools. However I rarely find documents about how it is
incorporated into a Linux sign on system namely SSH. Can anyone point
towards good documentation ?
I find information on:
Roumen Petrov's OpenSSH X.509 patch
The information seems a little bit vague.
Is there a document that shows how to:
1) setup a PKI infrastructure in LDAP.
2) Generate a CA and store it in LDAP
3) Generate client certificates and store them in LDAP
4) Compile and patch ssh server
5) Setup and configure ssh server
I was able to get openssh-lpk up and running quickly. However stores
public keys in LDAP. It is not a complete PKI . With revocation lists
etc.
Since PKI is being used in wide range large scale deployments there
should be some strong documentation on it? PKI + SSH + LDAP?
On Thu, Jun 19, 2008 at 10:21 AM, Marc Sauton <msauton(a)redhat.com> wrote:
Michael Brown wrote:
>
> Sanga M. Collins wrote:
>>
>> I think the deployment guide suggests you use pointers instead of loading
>> large pieces of data into the directory
>>
>> Sanga M. Collins Network Engineering
>> ~~~~~~~~~~~~~~~~~~~~~~~
>> IT Management LLC
>> 6491 Sunset Strip #5, Sunrise Fl, 33313
>> Tel: (954) 572 7411, Fax: (435) 578 7411
>>
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces(a)redhat.com
>> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Michael
>> Ströder
>> Sent: Thursday, June 19, 2008 3:48 AM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] LDAP Load Tools
>>
>> Michael Brown wrote:
>>
>>>
>>> I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully
>>> moving to sp6 soon, or RHDS 8) with large attribute requirements (some
>>> attributes 25-30 Mbytes)
>>>
>>
>> Never saw a deployment where you store several MB into attributes. I'm
>> really curious whether that works? I know you can store this amount of data
>> but whether it really works for many entries.
>>
>> Ciao, Michael.
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> As an FYI... The issue in the environment in which I'm working is not a
> data at rest issue for the large attributes, but rather a replication and
> writing issue.
>
> This is a US Government customer who has deployed a large PKI and LDAP
> infrastructure based upon the Red Hat CA and DS products, and they have
> several CA's with large certificate revocation lists approaching several
> tens of Mbytes each (the customer has issued tens of million of certs from
> all the CAs deployed, and has revoked > 20% of these prior to expiration at
> any one time for various reasons, thus the large CRLs). These CRLs are
> published to Red Hat DS instances in the certificateRevocationList;binary
> attribute in the entry for each CA and replicated to consumer DS instances
> and customers who require the CRLs. OCSP is also used, but CRLs are still
> required for many applications.
>
> This is a reasonably mature architecture as far as PKI and LDAP are
> concerned, first deployed in 1999 or thereabouts (think Netscape days), but
> the large CRL growth has been problematic both in generation and in
> publishing/replication at times. The publishing and replication tuning is
> what I'm trying to address with additional lab testing.
>
> The Red Hat CA and DS solutions have shown themselves to be scalable and
> secure in this environment, with proper care and tuning.
>
> Michael
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I sometimes use rpm's or tar files to represent large attributes.
M.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users