8:01 a.m.
Hi there,
Im having a hard time setting up the directory-based authentication for
dogtag 10.3.3-1. I did follow the instructions as
http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and I get
an error when trying to bind/authenticate against directory service
(Microsoft AD2008) as follows:
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication:
authenticate: before authenticate() call
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication:
Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User
authentication failure: netscape.ldap.LDAPException: error result (1);
000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v1772
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing bad
connection
The directives (bellow) are used to bind the AD2008 and I already tested the
account and it is working.
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service
Account,ou=IT,dc=domain,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
John Luk is applying for the certificate using the web enrollment process
(caDirUserCert profile).
What am I missing?
Thx,
sergio
4:18 p.m.
Hi Sergio,
I'm not sure if this has ever made it into dogtag document, but here is
the instruction I have written for bound LDAP based authentication. I
can't say that I remember every detail, but it's what I have written
down anyway ;-/
In some environment, one might want to disallow anonymous bind for the
ldap server that is used for authentication. To create a bound
connection between a CA and the ldap server, you need to make a few
configuration changes:
*
Set up directory-based authentication as following example in CS.cfg:
1.
auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory
Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
externalLDAP.authPrefix=auths.instance.UserDirEnrollment
cms.passwordlist=internaldb,replicationdb,externalLDAP
where the bindPWPrompt is the ‘tag” or “prompt” that is used in the
password.conf file; It is also the name used under the passwordlist and
the authPrefix
*
Add the “tag” or “prompt” from the CS.cfg with its password in the
password.conf:
o
externalLDAP=<your password>
Please try it out and let us know if it works or need any clarification.
Hope this helps,
Christina
On 07/26/2016 06:01 AM, Sérgio Pereira wrote:
Hi there,
I’m having a hard time setting up the directory-based authentication
for dogtag 10.3.3-1. I did follow the instructions as
http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and
I get an error when trying to bind/authenticate against directory
service (Microsoft AD2008) as follows:
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication:
authenticate: before authenticate() call
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication:
Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User
authentication failure: netscape.ldap.LDAPException: error result (1);
000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
operation a successful bind must be completed on the connection., data
0, v1772
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing
bad connection
The directives (bellow) are used to bind the AD2008 and I already
tested the account and it is working.
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service
Account,ou=IT,dc=domain,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
John Luk is applying for the certificate using the web enrollment
process (caDirUserCert profile).
What am I missing?
Thx,
sergio
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
3064
days inactive
3070
days old
1 comments
2 participants
participants (2)
-
Christina Fu -
Sérgio Pereira