Pathfinder, OpenLDAP, and ProxyConfig

What is it?

Our patches add the following features to OpenLDAP 2.3.43 and OpenLDAP 2.4.16:

• We've ported Boeing's ldap-proxy backend to the latest versions of both the stable and development branches of OpenLDAP, 2.3.43 and 2.4.16.
• We've integrated Pathfinder with the ldap-proxy backend, so it can perform RFC5280-compliant path validation of any X.509 certificates retrieved by the certificate discovery service before they are returned to the requesting connection. Policy mapping, policy constraints, and name constraints are all handled transparently. Certificates are also optionally checked for validity, using either CRL or OCSP, thus helping to work around any deficiencies in client email software. This creates a configurable, scalable Certificate Discovery Service that is truly enterprise ready.
• We've integrated Pathfinder with OpenLDAP's native SSL and TLS support, for validating incoming client certificates. This allows the administrator to control access to the certificate discovery service, optionally limiting it only to those who have an appropriate X.509 credential.
• We've improved the ldap-proxy backend so that it can open LDAP/SSL connections to partner certificate repositories when proxying a request. This allows an administrator to ensure that any traffic between the Certificate Discovery Service and client repositories is encrypted, and ensures the identity of the repository server, thus removing any possibility of a man-in-the-middle attack. It should be noted that the certificates used in this exchange also are validated using Pathfinder, thus allowing for all RFC5280 validation checks to be performed.
• We've improved the ldap-proxy backend so that it can automatically notice changes to its certificate_server_list.txt and ldap_server_list.txt configuration files. This allows configuration changes to be made without restarting the server, leading to greater uptime.
• We've created ProxyConfig, which centralizes management and distribution of these two configuration files for the ldap-proxy backend.

For more information on these features, please download our 2-page Certificate Discovery Service brochure (PDF).

For some guidance on deploying our Certificate Discovery Service in an enterprise environment, please read our Certificate Discovery Scenarios (PDF) white paper.

We've created several patches for the OpenLDAP 2.3.43 and 2.4.16 server, as follows:

• The first patch is a port of Boeing's ldap-proxy backend to a modern version of OpenLDAP, which can also use Pathfinder to validate any certificates retrieved by the ldap-proxy backend before they are returned to the requesting connection. Policy mapping, policy constraints, and name constraints are all handled transparently.
• The second patch allows OpenLDAP to use Pathfinder to validate client certificates presented as part of a TLS negotiation for an LDAPS connection. Policy mapping, policy constraints, and name constraints are all handled transparently.
• A third patch combines both of the above: it allows Pathfinder to validate client certificates for TLS negotiation and any certificates retrieved by the ldap-proxy backend.

Current Status:

Pathfinder, these patches for OpenLDAP are all presently under active development.

Download:

• Patch: adds Boeing ldap-proxy with Pathfinder:
  • openldap-2.3.43-pathfinder-getcert-20080928.diff.gz
  • openldap-2.4.16-pathfinder-getcert-20091120.diff.gz
• Patch: adds Pathfinder for TLS connections:
  • openldap-2.3.43-pathfinder-tls-20080915.diff.gz
  • openldap-2.4.16-pathfinder-tls-20090420.diff.gz
• Megapatch: adds ldap-proxy with Pathfinder, and Pathfinder for TLS:
  • openldap-2.3.43-pathfinder-both-20080928.diff.gz
  • openldap-2.4.16-pathfinder-both-20091120.diff.gz
• NEW: Debian Packages for OpenLDAP 2.4.11, for Debian GNU/Linux 5.0.1 ("Lenny") with Pathfinder 1.1.1 and ldap-proxy built in, are available.
• RPM packages for OpenLDAP 2.3.39, for CentOS 5.1 (or RHEL5) with Pathfinder 1.1.1 and ldap-proxy built in, are available.

Patch Instructions:

• Make sure you have the WvStreams 4.5 library with DBUS support installed.
• Make sure you have Pathfinder 1.1.2 and libpathfinder-openssl installed and appropriately configured.
• Make sure you have pkg-config installed, and that it knows about libpathfinder.
• Apply either the second, third, or fourth patch to a clean openldap-2.3.43 or openldap-2.4.16 build tree (it may also apply cleanly against other versions...)
• Run "autoconf" and "autoheader".
• When running "./configure", specify "--with-pathfinder".
• Compile and install the OpenLDAP server.
• Enable pathfinder for client certificates with the "TLSPathfinder on" command in the slapd.conf file.
• If using Boeing's ldap-proxy backend, enable pathfinder for fetched certificates using the "getcert-pathfinder on" command in the slapd.conf, in addition to any other necessary ldap-proxy configuration settings.

Debian Instructions:

• Install the DEB packages. You may need to use "apt-get" to satisfy additional dependencies.
• OpenLDAP is installed in /opt/ldap_proxy by default.
• Configure the server as per the last two points in the patch instructions above.

RPM Instructions:

• Install the RPM packages. You may need to use "yum" to satisfy additional dependencies, and you may need to get some packages from EPEL.
• OpenLDAP is installed in /opt/ldap_proxy by default.
• Configure the server as per the last two points in the patch instructions above.

ProxyConfig Instructions:

Please contact us for more info.

Need Help?

Let us know!