8:16 a.m.
Hi Christina,
Worked like a charm. I suggest updating the documentation
(http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles)
mentioning the tag ldapBoundConn=true (there is no reference for it). Also,
I've noticed that the authentication is based on uid ldap attribute ... is
there any way of changing it to authenticate against sAMAccountName
(Microsoft Active Directory attribute)? I didn't find any tag to define the
attribute I want to authenticate against.
Thank you once more
sergio
Date: Mon, 1 Aug 2016 14:18:50 -0700
From: Christina Fu <cfu(a)redhat.com>
To: pki-users(a)redhat.com
Subject: Re: [Pki-users] setting up Directory-based authentication
Message-ID: <50d8356b-7507-8c99-db1d-72c7fd4ea2b8(a)redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hi Sergio,
I'm not sure if this has ever made it into dogtag document, but here is the
instruction I have written for bound LDAP based authentication. I can't say
that I remember every detail, but it's what I have written down anyway ;-/
In some environment, one might want to disallow anonymous bind for the ldap
server that is used for authentication. To create a bound connection
between a CA and the ldap server, you need to make a few configuration
changes:
*
Set up directory-based authentication as following example in CS.cfg:
1.
auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory
Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
externalLDAP.authPrefix=auths.instance.UserDirEnrollment
cms.passwordlist=internaldb,replicationdb,externalLDAP
where the bindPWPrompt is the ?tag? or ?prompt? that is used in the
password.conf file; It is also the name used under the passwordlist and the
authPrefix
*
Add the ?tag? or ?prompt? from the CS.cfg with its password in the
password.conf:
o
externalLDAP=<your password>
Please try it out and let us know if it works or need any clarification.
Hope this helps,
Christina
On 07/26/2016 06:01 AM, S?rgio Pereira wrote:
Hi there,
I?m having a hard time setting up the directory-based authentication
for dogtag 10.3.3-1. I did follow the instructions as
http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and
I get an error when trying to bind/authenticate against directory
service (Microsoft AD2008) as follows:
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication:
authenticate: before authenticate() call
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating
UID=john.luk
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication:
Authenticating: Searching for uid=john.luk base
DN=OU=IT,dc=domain,dc=com
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User
authentication failure: netscape.ldap.LDAPException: error result (1);
000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
operation a successful bind must be completed on the connection., data
0, v1772
[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing
bad connection
The directives (bellow) are used to bind the AD2008 and I already
tested the account and it is working.
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service
Account,ou=IT,dc=domain,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password
John Luk is applying for the certificate using the web enrollment
process (caDirUserCert profile).
What am I missing?
Thx,
sergio
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users