[Fedora-directory-users] LDAP Load Tools

Thu Jun 19 15:08:20 UTC 2008

I see there is much work on the LDAP schema side to support PKE and
such tools. However I rarely find documents about how it is
incorporated into a Linux sign on system namely SSH. Can anyone point
towards good documentation ?

I find information on:
Roumen Petrov's OpenSSH X.509 patch
http://roumenpetrov.info/openssh/
The information seems a little bit vague.

Is there a document that shows how to:
1) setup a PKI infrastructure in LDAP.
2) Generate a CA and store it in LDAP
3) Generate client certificates and store them in LDAP
4) Compile and patch ssh server
5) Setup and configure ssh server

I was able to get openssh-lpk up and running quickly. However stores
public keys in LDAP. It is not a complete PKI . With revocation lists
etc.

Since PKI is being used in wide range large scale deployments there
should be some strong documentation on it? PKI + SSH + LDAP?
On Thu, Jun 19, 2008 at 10:21 AM, Marc Sauton <msauton at redhat.com> wrote:
> Michael Brown wrote:
>>
>> Sanga M. Collins wrote:
>>>
>>> I think the deployment guide suggests you use pointers instead of loading
>>> large pieces of data into the directory
>>>
>>> Sanga M. Collins Network Engineering
>>> ~~~~~~~~~~~~~~~~~~~~~~~
>>> IT Management LLC
>>> 6491 Sunset Strip #5, Sunrise Fl, 33313
>>> Tel: (954) 572 7411, Fax: (435) 578 7411
>>>
>>>
>>> -----Original Message-----
>>> From: fedora-directory-users-bounces at redhat.com
>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael
>>> Ströder
>>> Sent: Thursday, June 19, 2008 3:48 AM
>>> To: General discussion list for the Fedora Directory server project.
>>> Subject: Re: [Fedora-directory-users] LDAP Load Tools
>>>
>>> Michael Brown wrote:
>>>
>>>>
>>>> I'm working with an RHDS customer (currently RHDS 7.1sp3,  hopefully
>>>> moving to sp6 soon, or RHDS 8) with large attribute requirements (some
>>>> attributes 25-30 Mbytes)
>>>>
>>>
>>> Never saw a deployment where you store several MB into attributes. I'm
>>> really curious whether that works? I know you can store this amount of data
>>> but whether it really works for many entries.
>>>
>>> Ciao, Michael.
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> As an FYI... The issue in the environment in which I'm working is not a
>> data at rest issue for the large attributes, but rather a replication and
>> writing issue.
>>
>> This is a US Government customer who has deployed a large PKI and LDAP
>> infrastructure based upon the Red Hat CA and DS products, and they have
>> several CA's with large certificate revocation lists approaching several
>> tens of Mbytes each (the customer has issued tens of million of certs from
>> all the CAs deployed, and has revoked > 20% of these prior to expiration at
>> any one time for various reasons, thus the large CRLs).  These CRLs are
>> published to Red Hat DS instances in the certificateRevocationList;binary
>> attribute in the entry for each CA and replicated to consumer DS instances
>> and customers who require the CRLs.  OCSP is also used, but CRLs are still
>> required for many applications.
>>
>> This is a reasonably mature architecture as far as PKI and LDAP are
>> concerned, first deployed in 1999 or thereabouts (think Netscape days), but
>> the large CRL growth has been problematic both in generation and in
>> publishing/replication at times.  The publishing and replication tuning is
>> what I'm trying to address with additional lab testing.
>>
>> The Red Hat CA and DS solutions have shown themselves to be scalable and
>> secure in this environment, with proper care and tuning.
>>
>> Michael
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> I sometimes use rpm's or tar files to represent large attributes.
> M.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>