Hi Emily,
By default SCEP could take a challengePassword (internally "challengePhrase") that you could map with the host id, which is what the FlatFile authentication does.  However, the directory based authenticator handles literally "uid" and "pwd".  You will need to get challengePhrase mapped to pwd into the request, and to do that you could write a plugin for it.

I think you could try editing the following file
server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
to get "uid" and "pwd' filled in the request.
We have professional services that could help write plugins.

Christina


On 05/01/2015 12:34 PM, Emily Stemmerich wrote:
Hi,

I was wondering if anyone could offer some assistance with getting SCEP working with LDAP auth?

Thanks!
-Emily

Date: Monday, April 27, 2015 at 4:53 PM
To: "pki-users@redhat.com" <pki-users@redhat.com>
Subject: [Pki-users] SCEP directory authentication

Hi,

I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity certificates obtained by Cisco Routers via SCEP to be auto-renewing.  I have found that the one-time pin model doesn’t work for auto-renewal.  I was pointed to the RedHat document below that discusses using directory-based auth in Section 8.2.1, but I’m having issues with getting it to work.

 https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Setting_up_Directory_Based_Authentication

I’m not certain what to put in the dnpattern attribute and there are no examples I can find and am wondering if it is the reason attempts show uid and credentials as null from the router – details of the setup later on in this email.
  • dnpattern. Specifies a string representing a subject name pattern to formulate from the directory attributes and entry DN.
------------------------------------------

From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg instead of flatfile):

auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------

I’ve created a hierarchy outside of dogtag for doing router auth: 
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------

Test User Account (I am not sure what objectClass to use, so I found one with uid and password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
objectClass: inetUser
userPassword: testpass

------------------------------------------
Router config.  For flatfile auth it ends up using the wan IP and the password and password in the identity section, however for LDAP auth I don’t know what things would map to:

crypto ca identity SAMPLE
revocation-check none
fqdn emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair  MEVO 2048
auto-enroll 75
crl optional
exit

crypto ca authenticate SAMPLE

------------------------------------------

When I try and get a cert from the Cisco Router I get output like the following in the debug file that lists both UID and credential as null:

[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response:

Thanks for any assistance,
-Emily