Overview#

This page describes the process to set up a user in the DS for PKI server to access the DS.

DS User#

During PKI server installation a new user (i.e. pkidbuser) will be created in the database for the PKI server to access the database. This user is added as a replacement for Directory Manager such that it’s no longer necessary to store the Directory Manager password in PKI server configuration files.

By default PKI server will still use the Directory Manager, but it can be switched to use this user after installation. This user can be used for basic authentication with username and password or client-certificate authentication.

dn: uid=pkidbuser,<current subsystem's suffix>
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userPassword: <password>
userCertificate: <DER-encoded certificate>
uidNumber: <uid>
gidNumber: <gid>

Separate Database#

pki_share_db=False

Shared Database#

pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,<initial subsystem's suffix>

DS Authentication#

Basic Authentication#

Pre-Install Configuration#

Currently PKI server can only be deployed by a Directory Manager:

pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret.123

Post-Install Configuration#

After installation it can be switched to pkidbuser. See Configuring Basic Authentication to Internal Database.

Client Certificate Authentication#

Pre-Install Configuration (NOT IMPLEMENTED)#

pki_ds_auth_type=ClientCertificate
pki_ds_client_cert_nickname=subsystemCert cert-pki-ca

Post-Install Configuration#

Client-certificate authentication can be enabled post-install. See Configuring Client Certificate Authentication to Internal Database.

GSSAPI (IPA only)#

See Authenticating with GSSAPI.

Autobind (NOT IMPLEMENTED)#

See Enabling Autobind.

References#