[Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys

Rich Megginson rmeggins at redhat.com
Thu Aug 4 20:12:59 UTC 2011 

On 08/04/2011 02:05 PM, Ian Stokes-Rees wrote:
>
>
> On 8/3/11 6:13 PM, Dmitri Pal wrote:
>> On 08/03/2011 10:10 AM, Ian Stokes-Rees wrote:
>>> If there were some way to securely embed an arbitrary string in the
>>> user profile, that would go a long way to solving this problem.  At
>>> least 4KB to cover a 2048 X.509 public key, but ideally 10 KB or
>>> more.  To remove the ACL complexity, just having it accessible only by
>>> the user (token or password based fetch) would be suitable.
>> Do not quite understand how that would work or what you mean.
>
> I've just realized that I think the functionality I'm looking for is 
> already available.  I want the same system that is used for storing 
> passwords.  Consider the following trace:
>
> $ ldapsearch -h freeipa -b 
> uid=tester,cn=users,cn=portal,dc=nebiogrid,dc=org -Y GSSAPI -LLL -d 0 
> -T ~/.ldapresults/
>
> SASL/GSSAPI authentication started
> SASL username: ijstokes at NEBIOGRID.ORG
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=tester,cn=users,cn=portal,dc=nebiogrid,dc=org
> objectClass: person
> objectClass: posixAccount
> objectClass: account
> objectClass: inetOrgPerson
> objectClass: top
> objectClass: organizationalPerson
> givenName: test
> sn: test
> cn: test test
> mail: meghan at hkl.hms.harvard.edu
> uidNumber: 1031
> gidNumber: 1031
> homeDirectory: /p/home//tester
> uid: tester
> userPassword:: e2NyeXB0fXNCb2drN3p4c2lha1E=
>
> [aside: I'd love a tip on how to get rid of the non-LDIF SASL headers]
>
> The userpassword (hash) is stored in base-64 format and is only 
> accessible by me because I have permissions to access this.  Some 
> other user doing the same query would not get the userPassword 
> attribute.  Even better, I can use the "-tt" option to write the 
> base64-decoded content to a file.
>
> The parts of the puzzle that I'd have to work out are:
>
> 1. are there objectClass schemas that have fields that would be 
> suitable for a set of common private keys (rsa1, rsa2, dsa, gpg, pgp, 
> and x509)?
x509 schema are included with 389 (05rfc4523.ldif et. al.)
I think there is a schema for storage of ssh keys
>
> 2. if not, instructions on how to set up such a schema (basically with 
> exactly the set of attributes above), with the fields being base64 
> (binary?)
Take a look at the existing schema.  For most fields that hold opaque 
blob data, you will probably want to use OctetString syntax.
>
> 3. what do I have to do to get the behavior that only certain parties 
> can read a particular attribute?
Read up on Access Control (acis): 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Managing_Access_Control
>
> 4. any way to get ldapsearch to write out particular attributes to 
> particular files?
Not really - all you have is -T and -tt
But any non-trivial application is not going to use ldapsearch as the 
main interface for getting these values.   I suggest using python with 
python-ldap.
>
> Thanks,
>
> Ian
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110804/e4046909/attachment.htm>

More information about the Freeipa-users mailing list