DS Authentication

From Dogtag
Jump to: navigation, search

Overview

This page describes the process to set up a user in the DS for PKI server to access the DS.

DS User

During PKI server installation a new user (i.e. pkidbuser) will be created in the database for the PKI server to access the database. This user is added as a replacement for Directory Manager such that it's no longer necessary to store the Directory Manager password in PKI server configuration files.

By default PKI server will still use the Directory Manager, but it can be switched to use this user after installation. This user can be used for basic authentication with username and password or client-certificate authentication.

dn: uid=pkidbuser,<current subsystem's suffix>
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userPassword: <password>
userCertificate: <DER-encoded certificate>
uidNumber: <uid>
gidNumber: <gid>

Separate Database

pki_share_db=False

Shared Database

pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,<initial subsystem's suffix>

DS Authentication

Basic Authentication

Pre-Install Configuration

Currently PKI server can only be deployed by a Directory Manager:

pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret.123

Post-Install Configuration

After installation it can be switched to pkidbuser. See DS Basic Authentication.

Client Certificate Authentication

Pre-Install Configuration (NOT IMPLEMENTED)

pki_ds_auth_type=ClientCertificate
pki_ds_client_cert_nickname=subsystemCert cert-pki-ca

Post-Install Configuration

Client-certificate authentication can be enabled post-install. See Enabling Client Certificate Authentication with Internal Database.

GSSAPI (IPA only)

$ kinit -kt /etc/dirsrv/ds.keytab ldap/server.example.com@EXAMPLE.COM
$ ldapsearch -Y GSSAPI -h server.example.com -s base -b ""

Autobind (NOT IMPLEMENTED)

See ticket #1585 and Configuring Autobind.

Manual Setup

$ ldapmodify -h server.example.com -p 389 -x -D "cn=Directory Manager" -w Secret.123
dn: cn=config
changetype: modify
replace: nsslapd-ldapiautobind
nsslapd-ldapiautobind: on
-
add: nsslapd-ldapimaptoentries
nsslapd-ldapimaptoentries: on
-
add: nsslapd-ldapiuidnumbertype
nsslapd-ldapiuidnumbertype: uidNumber
-
add: nsslapd-ldapigidnumbertype
nsslapd-ldapigidnumbertype: gidNumber
-
add: nsslapd-ldapientrysearchbase
nsslapd-ldapientrysearchbase: dc=ca,dc=example,dc=com
-
add: nsslapd-ldapimaprootdn
nsslapd-ldapimaprootdn: cn=Directory Manager

Restart the server:

$ systemctl restart dirsrv@pki-tomcat.service

References