There's one sure fire way to find out... Start it up with a syncrepl, then move the private key, and see if it syncs fine both ways.
Wait a day or so, and make a change and see if that synced. If I had to put a dollar on it, if guess that it doesn't need the key after startup. I could be horribly wrong though - I'm not a dev, just a user of the software. :) - chris Chris Jacobs, Jr. Unix System Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: [email protected] ----- Original Message ----- From: openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org <openldap-technical-bounces+chris.jacobs=apollogrp....@openldap.org> To: [email protected] <[email protected]> Sent: Thu Mar 25 18:44:47 2010 Subject: Re: tls private key HI On Fri, Mar 26, 2010 at 12:09 PM, Tyler Gates <[email protected]> wrote: > Alex, > encrypting the private key really isn't necessary and I highly doubt it > would work for your application nor be worth the hassel. Securing via file > permisssions as mentioned previously is really the best way to tackle this. > Think of 'other layers of protection' being firewalls, intrusion detection, > restricted logins, chroot jails, etc., etc... yep go those, firewalls, permissions etc. I am not sure why every one is against me trying to use another layer of protection, just because I permission it as root.root 440, doesn't mean its safe. I could make it safer, but unecrypting the private key, starting slapd and removing the unecrypted file. Or thing of it another way, my private key could be on a usb key, that i insert into the machine on start up and remove once slapd has started. I have seen secure machine compromised before, somebody installed cvs forgot to change the cvs userid password, root hack and a remote user had access to the system. Some times people do silly things on my laptop - I encrypt the fs and the swap space and my gpg key have userid/passwords and my certs have userid password protection, like to do the same for my ldap setup as well :) I understand the reasons for encrypting and signing packets or information, just asking if slapd needs access to the private key after it has read the file on startup. > Encryption really works best for UDP like transportation like email where > you cannot guarantee the recipient is the only person able to 'see' the > document ;) > [snip] This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
