Skip to content

Accessing PKI Database

Endi S. Dewata edited this page Mar 20, 2023 · 1 revision

Overview

This page describe the process to access PKI database in IPA.

Using Basic Authentication

To use basic authentication, specify the bind DN and password:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "o=ipaca" \
    -s one \
    -LLL \
    dn

Note: The command should contain -x, -D, and -w options.

The search operation should return these entries:

dn: ou=people,o=ipaca

dn: ou=groups,o=ipaca

dn: ou=requests,o=ipaca

dn: cn=crossCerts,o=ipaca

dn: ou=ca,o=ipaca

dn: ou=replica,o=ipaca

dn: ou=ranges,o=ipaca

dn: cn=aclResources,o=ipaca

dn: ou=Security Domain,o=ipaca

dn: ou=acme,o=ipaca

Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access:

[20/Mar/2023:19:13:07.077242137 -0400] conn=111 op=0 BIND dn="cn=Directory Manager" method=128 version=3

Using Client Certificate Authentication

Find the subsystem certificate nickname in /etc/pki/pki-tomcat/ca/conf/CS.cfg:

$ grep internaldb.ldapauth.clientCertNickname /etc/pki/pki-tomcat/ca/conf/CS.cfg
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca

To use client certificate authentication, specify the NSS database, certificate nickname, and password file:

$ LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias \
    LDAPTLS_CERT="subsystemCert cert-pki-ca" \
    LDAPTLS_KEY=/etc/pki/pki-tomcat/alias/pwdfile.txt \
    ldapsearch \
    -H ldaps://$HOSTNAME:636 \
    -b "o=ipaca" \
    -s one \
    -LLL \
    dn

Note: The command should not contain -x, -D, or -w options.

The search operation should return these entries:

dn: ou=people,o=ipaca

dn: ou=groups,o=ipaca

dn: ou=requests,o=ipaca

dn: cn=crossCerts,o=ipaca

dn: ou=ca,o=ipaca

dn: ou=replica,o=ipaca

dn: ou=ranges,o=ipaca

dn: cn=aclResources,o=ipaca

dn: ou=Security Domain,o=ipaca

dn: ou=acme,o=ipaca

Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access:

[21/Sep/2016:21:53:42.063195010 +0200] conn=49 TLS1.2 256-bit AES-GCM; client CN=CA Subsystem,O=EXAMPLE.COM; issuer CN=Certificate Authority,O=EXAMPLE.COM
[21/Sep/2016:21:53:42.066776737 +0200] conn=49 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca

The client certificate should be mapped to pkidbuser.

Clone this wiki locally