11:27 a.m.
For the CA's authorization subsystem, Is it possible to configure the CA to look for
users in a different DS instance than the one defined in
'internaldb.ldapconn.host' ?
I've done some initial testing changing the following settings to point to another ds
instance:
authz.instance.DirAclAuthz.ldap.basedn=<my basedn>
authz.instance.DirAclAuthz.ldap.database=<my database>
authz.instance.DirAclAuthz.ldap.ldapconn.host=myotherds
authz.instance.DirAclAuthz.ldap.ldapconn.port=389
After a restart, the CA seems to still be doing authorization queries to the DS defined in
'internaldb.ldapconn.host'.
Thanks,
pwr
12:36 p.m.
On 09/17/2015 09:27 AM, Raspante, Patrick wrote:
For the CA’s authorization subsystem, Is it possible to configure the
CA to look for users in a different DS instance than the one defined
in ‘internaldb.ldapconn.host’ ?
I’ve done some initial testing changing the following settings to
point to another ds instance:
authz.instance.DirAclAuthz.ldap.basedn=<my basedn>
authz.instance.DirAclAuthz.ldap.database=<my database>
authz.instance.DirAclAuthz.ldap.ldapconn.host=myotherds
authz.instance.DirAclAuthz.ldap.ldapconn.port=389
After a restart, the CA seems to still be doing authorization queries
to the DS defined in ‘internaldb.ldapconn.host’.
Thanks,
pwr
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
you may define a separate authz
authz.impl.myDirAclAuthz.class=com.netscape.cms.authorization.DirAclAuthz
authz.instance.myDirAclAuthz.ldap.basedn=<my basedn>
authz.instance.myDirAclAuthz.ldap.database=<my database>
authz.instance.myDirAclAuthz.ldap.ldapconn.host=myotherds
authz.instance.myDirAclAuthz.ldap.ldapconn.port=389
also add
authz.instance.myDirAclAuthz.ldap=myotherdb
and to enroll
processor.caProfileSubmit.authzMgr=myDirAclAuthz
M.
9:40 a.m.
Thanks Marc for the reply.
As you suggested, I created myDirAclAuthz instance and used the 'myotherdb' ldap
connection instance.
When I start my CA, I see in the access log of 'myotherdb' that
'cn=aclResources' is searched for and returned successfully.
Then if I authenticate to the CA Agent page, and exercise some operations (e.g.
aclResource=certserver.ca.certificates Op=list), I see activity in the access log of the
directory server defined in internaldb. No activity in the access log of
'myotherdb'.
Is there a way to configure the CA's default authorization manager to look at
myotherdb instead of the internaldb directory?
pwr
3141
days inactive
3142
days old
2 comments
2 participants
participants (2)
-
Marc Sauton -
Raspante, Patrick