[Fedora-directory-users] Certificate to LDAP mapping problem
Rich Megginson
rmeggins at redhat.com
Sat Mar 28 18:55:33 UTC 2009
neuron ring wrote:
>
> Hi lambam,
>
> I am trying to do LDAP client certificate mapping. I had given an
> insight of my configuration.
>
> My certmap.conf file:
>
> certmap example ou=employees,o=us.com <http://us.com> -------------?
> this is the DN of the CA issuer,
> example:verifycert on
> example:DNComps cn,email,roomNumber
>
Try
example:DNComps ou,o
>
> example:FilterComps l,email,uid,telephoneNumber
>
example:FilterComps cn
>
> example:CmapLdapAttr certSubjectDN
>
I don't think you want to use CmapLdapAttr
See http://directory.fedoraproject.org/wiki/Howto:CertMapping
for more information
>
>
> Generation of CA cert:
>
> certutil -S -n "CertCA" -s "ou= employees,o= us.com <http://us.com>"
> -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db>
> -z noise.txt f pwdfile.txt
>
> Is this correct.
>
> I assume ou=employees,o=us.com <http://us.com> is my CA cert issuer.
> So I am using it as issuerDN value in certmap.conf.
>
> creating client certificate.
>
> certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com
> <http://us.com> " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d
> <path/to/instance cert db> -z noise.txt f pwdfile.txt
>
> and adding userCertificate;binary attribute to that user entry, after
> creating binary certificate.
>
> certutil -L -d <instance-path> -n "certuser" -r >usercert.bin
>
> When I try to ldapsearch:
>
> ldapsearch -h myhost -p 636 -Z -P
> /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K
> /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com
> <http://us.com>" cn=certuser
>
> ldap_sasl_bind: Invalid credentials
> ldap_sasl_bind: additional info: client certificate mapping failed
>
> But when I change the issuerDN in certmap.conf file to whatever dn
> (even if it is non-existing and invalid) I am getting the search
> Result properly. But the criteria is the issuerDN in certmap.conf
> should be exactly the same DN whose issues the CA certificate.
>
> The problem is whenever I use correct issuerDN in first line of
> certmap.conf file I am getting error.
>
> I am totally confused. Can somebody help me to get rid of this problem?
>
> Thanks in advance,
> Neuron Ring.
>
> Hello Neron Ring.
>
>
> Certificate to LDAP Mapping:
>
> http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf
>
> Page 198 ish.
>
> API:
> ----
>
> >From page 201 of the above guide:
>
>
> < You can use the Certificate Mapping API to create your own
> properties. For
>
> < information on using the Certificate Mapping API, see Certificate
> Mapping SDKs
>
> < at the following URL - which is followed by a defunct link.
>
> Try here, rather:
>
> http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/
>
> I hope this helps, laters. I'll keep an eye out for further questions
> along this line.
>
>
> --------------------------------------------------------------------------------
> Date: Tue, 24 Mar 2009 17:51:50 +0530
> From: neuronring at gmail.com <mailto:neuronring at gmail.com>
> To: fedora-directory-users at redhat.com
> <mailto:fedora-directory-users at redhat.com>
> Subject: [Fedora-directory-users] Certificate to LDAP Mapping API
>
> Hi all,
>
> I need to use Certificate to LDAP Mapping functionality.
>
> The README file in the source ldapserver/lib/ldaputil/examples path
> suggests:
> Refer "Certificate to LDAP Mapping API" documentation to find out
> about the various API functions and how you can write your
> plug-in.
>
> And also to refer Managing servers manual. But I couldnt get those
> documents. How can I write my own plug-in for LDAP Mapping?
>
> Or what can I do with Certmap.conf file to configure Certificate to
> LDAP Mapping.
>
> Can somebody provide link to that document or explain
> what is Certificate to LDAP Mapping.
>
> Thanks in advance,
> Neuron Ring.
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090328/4ebf45b8/attachment.bin>
More information about the Fedora-directory-users
mailing list