[Pki-users] setting up Directory-based authentication
Christina Fu
cfu at redhat.com
Mon Aug 1 21:18:50 UTC 2016
Hi Sergio,
I'm not sure if this has ever made it into dogtag document, but here is
the instruction I have written for bound LDAP based authentication. I
can't say that I remember every detail, but it's what I have written
down anyway ;-/
In some environment, one might want to disallow anonymous bind for the
ldap server that is used for authentication. To create a bound
connection between a CA and the ldap server, you need to make a few
configuration changes:
*
Set up directory-based authentication as following example in CS.cfg:
1.
auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory
Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
externalLDAP.authPrefix=auths.instance.UserDirEnrollment
cms.passwordlist=internaldb,replicationdb,externalLDAP
where the bindPWPrompt is the ‘tag” or “prompt” that is used in the
password.conf file; It is also the name used under the passwordlist and
the authPrefix
*
Add the “tag” or “prompt” from the CS.cfg with its password in the
password.conf:
o
externalLDAP=<your password>
Please try it out and let us know if it works or need any clarification.
Hope this helps,
Christina
On 07/26/2016 06:01 AM, Sérgio Pereira wrote:
>
> Hi there,
>
> I’m having a hard time setting up the directory-based authentication
> for dogtag 10.3.3-1. I did follow the instructions as
> http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and
> I get an error when trying to bind/authenticate against directory
> service (Microsoft AD2008) as follows:
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication:
> authenticate: before authenticate() call
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication:
> Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User
> authentication failure: netscape.ldap.LDAPException: error result (1);
> 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
> operation a successful bind must be completed on the connection., data
> 0, v1772
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing
> bad connection
>
> The directives (bellow) are used to bind the AD2008 and I already
> tested the account and it is working.
>
> auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service
> Account,ou=IT,dc=domain,dc=com
>
> auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
>
> John Luk is applying for the certificate using the web enrollment
> process (caDirUserCert profile).
>
> What am I missing?
>
> Thx,
>
> sergio
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160801/ba52b4c7/attachment.htm>
More information about the Pki-users
mailing list