[Pki-users] setting up Directory-based authentication

Sérgio Pereira sergio.pereira at gps-pamcary.com.br
Tue Aug 2 13:16:05 UTC 2016 

Hi Christina,

Worked like a charm. I suggest updating the documentation
(http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles)
mentioning the tag ldapBoundConn=true (there is no reference for it). Also,
I've noticed that the authentication is based on uid ldap attribute ... is
there any way of changing it to authenticate against sAMAccountName
(Microsoft Active Directory attribute)? I didn't find any tag to define the
attribute I want to authenticate against.

Thank you once more

sergio


Date: Mon, 1 Aug 2016 14:18:50 -0700
From: Christina Fu <cfu at redhat.com>
To: pki-users at redhat.com
Subject: Re: [Pki-users] setting up Directory-based authentication
Message-ID: <50d8356b-7507-8c99-db1d-72c7fd4ea2b8 at redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"

Hi Sergio,

I'm not sure if this has ever made it into dogtag document, but here is the
instruction I have written for bound LDAP based authentication.  I can't say
that I remember every detail, but it's what I have written down anyway ;-/

In some environment, one might want to disallow anonymous bind for the ldap
server that is used for authentication.  To create a bound connection
between a CA and the ldap server, you need to make a few configuration
changes:

  *

    Set up directory-based authentication as following example in CS.cfg:

     1.

        auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
        auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
        auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory
        Manager
 
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
        externalLDAP.authPrefix=auths.instance.UserDirEnrollment
        cms.passwordlist=internaldb,replicationdb,externalLDAP

where the bindPWPrompt is the ?tag? or ?prompt? that is used in the
password.conf file; It is also the name used under the passwordlist and the
authPrefix

  *

    Add the ?tag? or ?prompt? from the CS.cfg with its password in the
    password.conf:

      o

        externalLDAP=<your password>

Please try it out and let us know if it works or need any clarification.

Hope this helps,

Christina


On 07/26/2016 06:01 AM, S?rgio Pereira wrote:
>
> Hi there,
>
> I?m having a hard time setting up the directory-based authentication 
> for dogtag 10.3.3-1. I did follow the instructions as 
> http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and 
> I get an error when trying to bind/authenticate against directory 
> service (Microsoft AD2008) as follows:
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication: 
> authenticate: before authenticate() call
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating 
> UID=john.luk
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication: 
> Authenticating: Searching for uid=john.luk base 
> DN=OU=IT,dc=domain,dc=com
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User 
> authentication failure: netscape.ldap.LDAPException: error result (1);
> 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this 
> operation a successful bind must be completed on the connection., data 
> 0, v1772
>
> [26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing 
> bad connection
>
> The directives (bellow) are used to bind the AD2008 and I already 
> tested the account and it is working.
>
> auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service
> Account,ou=IT,dc=domain,dc=com
>
> auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
>
> John Luk is applying for the certificate using the web enrollment 
> process (caDirUserCert profile).
>
> What am I missing?
>
> Thx,
>
> sergio
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://www.redhat.com/archives/pki-users/attachments/20160801/ba52b4c7/att
achment.html>

------------------------------

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

End of Pki-users Digest, Vol 100, Issue 1
*****************************************

More information about the Pki-users mailing list