Hi,
I was wondering if anyone could offer some assistance with getting SCEP working with LDAP
auth?
Thanks!
-Emily
Date: Monday, April 27, 2015 at 4:53 PM
To: "pki-users@redhat.com<mailto:pki-users@redhat.com>"
<pki-users@redhat.com<mailto:pki-users@redhat.com>>
Subject: [Pki-users] SCEP directory authentication
Hi,
I am still trying to get Dogtag 10.2.1 on Fedora 21 working to allow for router identity
certificates obtained by Cisco Routers via SCEP to be auto-renewing. I have found that
the one-time pin model doesn’t work for auto-renewal. I was pointed to the RedHat
document below that discusses using directory-based auth in Section 8.2.1, but I’m having
issues with getting it to work.
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
I’m not certain what to put in the dnpattern attribute and there are no examples I can
find and am wondering if it is the reason attempts show uid and credentials as null from
the router – details of the setup later on in this email.
*
dnpattern. Specifies a string representing a subject name pattern to formulate from the
directory attributes and entry DN.
------------------------------------------
From my CS.conf (RouterAuth is then referenced in the caRouterCert.cfg
instead of flatfile):
auths.instance.RouterAuth.pluginName=UidPwdDirAuth
auths.instance.RouterAuth.ldap.basedn=ou=RouterID,dc=auth,dc=sample,dc=com
auths.instance.RouterAuth.ldap.ldapconn.host=localhost
auths.instance.RouterAuth.ldap.ldapconn.port=389
auths.instance.RouterAuth.ldap.ldapconn.secureConn=false
------------------------------------------
I’ve created a hierarchy outside of dogtag for doing router auth:
ou=RouterID,dc=auth,dc=sample,dc=com
------------------------------------------
Test User Account (I am not sure what objectClass to use, so I found one with uid and
password as options and used that):
dn: uid=172.18.240.11,ou=RouterID,dc=auth,dc=sample,dc=com
uid: 172.18.240.11
objectClass: inetUser
userPassword: testpass
------------------------------------------
Router config. For flatfile auth it ends up using the wan IP and the password and
password in the identity section, however for LDAP auth I don’t know what things would map
to:
crypto ca identity SAMPLE
enrollment url
http://172.21.4.239:8080/ca/cgi-bin
revocation-check none
fqdn
emilyvpn.sample.com
serial-number none
ip-address none
hash sha256
password testpass
rsakeypair MEVO 2048
auto-enroll 75
crl optional
exit
crypto ca authenticate SAMPLE
------------------------------------------
When I try and get a cert from the Cisco Router I get output like the following in the
debug file that lists both UID and credential as null:
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Got
authenticator=com.netscape.cms.authentication.UidPwdDirAuthentication
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory::getConn
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: LdapAnonConnFactory.getConn(): num avail
conns now 4
[24/Apr/2015:16:31:18][http-bio-8080-exec-7]: Authenticating UID=null
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: returnConn: mNumConns now 4
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: operation failure - Authentication
credential for uid is null.
[24/Apr/2015:16:31:19][http-bio-8080-exec-7]: Output PKIOperation response:
Thanks for any assistance,
-Emily