I see there is much work on the LDAP schema side to support PKE and such tools. However I rarely find documents about how it is incorporated into a Linux sign on system namely SSH. Can anyone point towards good documentation ? I find information on: Roumen Petrov's OpenSSH X.509 patch http://roumenpetrov.info/openssh/ The information seems a little bit vague. Is there a document that shows how to: 1) setup a PKI infrastructure in LDAP. 2) Generate a CA and store it in LDAP 3) Generate client certificates and store them in LDAP 4) Compile and patch ssh server 5) Setup and configure ssh server I was able to get openssh-lpk up and running quickly. However stores public keys in LDAP. It is not a complete PKI . With revocation lists etc. Since PKI is being used in wide range large scale deployments there should be some strong documentation on it? PKI + SSH + LDAP? On Thu, Jun 19, 2008 at 10:21 AM, Marc Sauton <msauton@xxxxxxxxxx> wrote: > Michael Brown wrote: >> >> Sanga M. Collins wrote: >>> >>> I think the deployment guide suggests you use pointers instead of loading >>> large pieces of data into the directory >>> >>> Sanga M. Collins Network Engineering >>> ~~~~~~~~~~~~~~~~~~~~~~~ >>> IT Management LLC >>> 6491 Sunset Strip #5, Sunrise Fl, 33313 >>> Tel: (954) 572 7411, Fax: (435) 578 7411 >>> >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces@xxxxxxxxxx >>> [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Michael >>> Ströder >>> Sent: Thursday, June 19, 2008 3:48 AM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: LDAP Load Tools >>> >>> Michael Brown wrote: >>> >>>> >>>> I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully >>>> moving to sp6 soon, or RHDS 8) with large attribute requirements (some >>>> attributes 25-30 Mbytes) >>>> >>> >>> Never saw a deployment where you store several MB into attributes. I'm >>> really curious whether that works? I know you can store this amount of data >>> but whether it really works for many entries. >>> >>> Ciao, Michael. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> As an FYI... The issue in the environment in which I'm working is not a >> data at rest issue for the large attributes, but rather a replication and >> writing issue. >> >> This is a US Government customer who has deployed a large PKI and LDAP >> infrastructure based upon the Red Hat CA and DS products, and they have >> several CA's with large certificate revocation lists approaching several >> tens of Mbytes each (the customer has issued tens of million of certs from >> all the CAs deployed, and has revoked > 20% of these prior to expiration at >> any one time for various reasons, thus the large CRLs). These CRLs are >> published to Red Hat DS instances in the certificateRevocationList;binary >> attribute in the entry for each CA and replicated to consumer DS instances >> and customers who require the CRLs. OCSP is also used, but CRLs are still >> required for many applications. >> >> This is a reasonably mature architecture as far as PKI and LDAP are >> concerned, first deployed in 1999 or thereabouts (think Netscape days), but >> the large CRL growth has been problematic both in generation and in >> publishing/replication at times. The publishing and replication tuning is >> what I'm trying to address with additional lab testing. >> >> The Red Hat CA and DS solutions have shown themselves to be scalable and >> secure in this environment, with proper care and tuning. >> >> Michael >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I sometimes use rpm's or tar files to represent large attributes. > M. > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users