This patch is for ticket
https://fedorahosted.org/pki/ticket/1531 Directory auth plugin requires
LDAP anonymous binds
This patch adds a feature to allow a directory based authentication
plugin
to use bound ldap conneciton instead of anonymous.
Two files need to be edited
1. <instance>/conf/password.conf
add a "tag" and the password of the binding user dn to the file
e.g. externalLDAP=password123
2. <instance>/ca/CS.cfg
add the tag to cms.passwordlist:
e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP
add the prefix of the auths entry for the authentication instance
e.g. externalLDAP.prefix=auths.instance.UserDirEnrollment
add relevant entries to the authenticaiton instance
e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
The code has been tested to work.
The code (in its plugin form) has also been tested to work successfully
with an ldap server that has its anonymous bind turned off.
thanks,
Christina