[Pki-users] setting up Directory-based authentication

Christina Fu cfu at redhat.com
Mon Aug 1 21:18:50 UTC 2016 

Hi Sergio,

I'm not sure if this has ever made it into dogtag document, but here is 
the instruction I have written for bound LDAP based authentication.  I 
can't say that I remember every detail, but it's what I have written 
down anyway ;-/

In some environment, one might want to disallow anonymous bind for the 
ldap server that is used for authentication.  To create a bound 
connection between a CA and the ldap server, you need to make a few 
configuration changes:

  *

    Set up directory-based authentication as following example in CS.cfg:

     1.

        auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
        auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
        auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory
        Manager
        auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
        externalLDAP.authPrefix=auths.instance.UserDirEnrollment
        cms.passwordlist=internaldb,replicationdb,externalLDAP

where the bindPWPrompt is the ‘tag” or “prompt” that is used in the 
password.conf file; It is also the name used under the passwordlist and 
the authPrefix

  *

    Add the “tag” or “prompt” from the CS.cfg with its password in the
    password.conf:

      o

        externalLDAP=<your password>

Please try it out and let us know if it works or need any clarification.

Hope this helps,

Christina


On 07/26/2016 06:01 AM, Sérgio Pereira wrote:
>
> Hi there,
>
> I’m having a hard time setting up the directory-based authentication 
> for dogtag 10.3.3-1. I did follow the instructions as 
> http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and 
> I get an error when trying to bind/authenticate against directory 
> service (Microsoft AD2008) as follows:
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication: 
> authenticate: before authenticate() call
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication: 
> Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User 
> authentication failure: netscape.ldap.LDAPException: error result (1); 
> 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this 
> operation a successful bind must be completed on the connection., data 
> 0, v1772
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing 
> bad connection
>
> The directives (bellow) are used to bind the AD2008 and I already 
> tested the account and it is working.
>
> auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service 
> Account,ou=IT,dc=domain,dc=com
>
> auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
>
> John Luk is applying for the certificate using the web enrollment 
> process (caDirUserCert profile).
>
> What am I missing?
>
> Thx,
>
> sergio
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160801/ba52b4c7/attachment.htm>

More information about the Pki-users mailing list