[Pki-users] SCEP directory authentication
Emily Stemmerich
Emily at arcananet.com
Mon Apr 27 23:53:43 UTC 2015
Hi,
I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity certificates obtained by Cisco Routers via SCEP to be auto-renewing. I have found that the one-time pin model doesn’t work for auto-renewal. I was pointed to the RedHat document below that discusses using directory-based auth in Section 8.2.1, but I’m having issues with getting it to work.
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Setting_up_Directory_Based_Authentication
I’m not certain what to put in the dnpattern attribute and there are no examples I can find and am wondering if it is the reason attempts show uid and credentials as null from the router – details of the setup later on in this email.
*
dnpattern. Specifies a string representing a subject name pattern to formulate from the directory attributes and entry DN.
------------------------------------------
>From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg instead of flatfile):
auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------
I’ve created a hierarchy outside of dogtag for doing router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------
Test User Account (I am not sure what objectClass to use, so I found one with uid and password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
objectClass: inetUser
userPassword: testpass
------------------------------------------
Router config. For flatfile auth it ends up using the wan IP and the password and password in the identity section, however for LDAP auth I don’t know what things would map to:
crypto ca identity SAMPLE
enrollment url http://172.21.4.239:8080/ca/cgi-bin
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair MEVO 2048
auto-enroll 75
crl optional
exit
crypto ca authenticate SAMPLE
------------------------------------------
When I try and get a cert from the Cisco Router I get output like the following in the debug file that lists both UID and credential as null:
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response:
Thanks for any assistance,
-Emily
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150427/4fbbcedb/attachment.htm>
More information about the Pki-users
mailing list