On Thu, 2015-08-06 at 15:25 +0000, Paul Whitney wrote: > I have a several openldap clients. Certs are installed in > /etc/openldap/cacerts. I am using server certificates to to establish an SSL > connection with the LDAP server. Using PAM LDAP to authenticate users. I > would like to test hardening these clients. > > 1. What are the absolute minimum permissions required for the TLS CERT and > TLS KEY? > > 2. Can the TLS key have a password or must it always be without password? I am assuming these are client TLS certificates you are using to authenticate to a 389ds instance? If that is the case, given you are sharing these in /etc/openldap/cacerts on the client workstation, and assuming 1 to 1 of users to the workstation, you could probably just lock the cert and key down to the users uid and gid. But a better idea would be to put the cert and key into the users home directory somewhere, and then use ~/.ldaprc as per http://linux.die.net/man/5/ldap.conf to point them at their own keys and certs. Then you can lock it down with uid / gid permissions from there. Finally, in all security cases you need to define your threat model. Who are you protecting the keys from? Online attacks? Other employees? Hardware theft? Think about who you are defending from and then that will help you to identify what you should do to protect your system. For example, if you are worried about external theft, using disk encryption like firevault or luks is a good course of action. I hope this helps, Sincerely, -- William Brown <william@xxxxxxxxxxxxxxxx> -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
