Hi Sergio,

I'm not sure if this has ever made it into dogtag document, but here is the instruction I have written for bound LDAP based authentication. I can't say that I remember every detail, but it's what I have written down anyway ;-/

In some environment, one might want to disallow anonymous bind for the ldap server that is used for authentication. To create a bound connection between a CA and the ldap server, you need to make a few configuration changes:

Set up directory-based authentication as following example in CS.cfg:

auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
externalLDAP.authPrefix=auths.instance.UserDirEnrollment
cms.passwordlist=internaldb,replicationdb,externalLDAP

where the bindPWPrompt is the ‘tag” or “prompt” that is used in the password.conf file; It is also the name used under the passwordlist and the authPrefix

Add the “tag” or “prompt” from the CS.cfg with its password in the password.conf:

externalLDAP=<your password>

Please try it out and let us know if it works or need any clarification.

Hope this helps,

Christina

On 07/26/2016 06:01 AM, Sérgio Pereira wrote:

Hi there,

I’m having a hard time setting up the directory-based authentication for dogtag 10.3.3-1. I did follow the instructions as http://pki.fedoraproject.org/wiki/Directory-Authenticated_Profiles and I get an error when trying to bind/authenticate against directory service (Microsoft AD2008) as follows:

[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: DirBasedAuthentication: authenticate: before authenticate() call

[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating UID=john.luk

[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: UidPwdDirAuthentication: Authenticating: Searching for uid=john.luk base DN=OU=IT,dc=domain,dc=com

[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: User authentication failure: netscape.ldap.LDAPException: error result (1); 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772

[26/Jul/2016:08:27:27][http-bio-8443-exec-1]: Authenticating: closing bad connection

The directives (bellow) are used to bind the AD2008 and I already tested the account and it is working.

auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Service Account,ou=IT,dc=domain,dc=com

auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=password

John Luk is applying for the certificate using the web enrollment process (caDirUserCert profile).

What am I missing?

Thx,

sergio
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users