forked from freeipa/freeipa
-
Notifications
You must be signed in to change notification settings - Fork 0
Accessing PKI Database
Endi S. Dewata edited this page Mar 20, 2023
·
1 revision
This page describe the process to access PKI database in IPA.
To use basic authentication, specify the bind DN and password:
$ ldapsearch \ -H ldap://$HOSTNAME \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ -b "o=ipaca" \ -s one \ -LLL \ dn
Note: The command should contain -x
, -D
, and -w
options.
The search operation should return these entries:
dn: ou=people,o=ipaca dn: ou=groups,o=ipaca dn: ou=requests,o=ipaca dn: cn=crossCerts,o=ipaca dn: ou=ca,o=ipaca dn: ou=replica,o=ipaca dn: ou=ranges,o=ipaca dn: cn=aclResources,o=ipaca dn: ou=Security Domain,o=ipaca dn: ou=acme,o=ipaca
Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access
:
[20/Mar/2023:19:13:07.077242137 -0400] conn=111 op=0 BIND dn="cn=Directory Manager" method=128 version=3
Find the subsystem certificate nickname in /etc/pki/pki-tomcat/ca/conf/CS.cfg
:
$ grep internaldb.ldapauth.clientCertNickname /etc/pki/pki-tomcat/ca/conf/CS.cfg internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
To use client certificate authentication, specify the NSS database, certificate nickname, and password file:
$ LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias \ LDAPTLS_CERT="subsystemCert cert-pki-ca" \ LDAPTLS_KEY=/etc/pki/pki-tomcat/alias/pwdfile.txt \ ldapsearch \ -H ldaps://$HOSTNAME:636 \ -b "o=ipaca" \ -s one \ -LLL \ dn
Note: The command should not contain -x
, -D
, or -w
options.
The search operation should return these entries:
dn: ou=people,o=ipaca dn: ou=groups,o=ipaca dn: ou=requests,o=ipaca dn: cn=crossCerts,o=ipaca dn: ou=ca,o=ipaca dn: ou=replica,o=ipaca dn: ou=ranges,o=ipaca dn: cn=aclResources,o=ipaca dn: ou=Security Domain,o=ipaca dn: ou=acme,o=ipaca
Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access
:
[21/Sep/2016:21:53:42.063195010 +0200] conn=49 TLS1.2 256-bit AES-GCM; client CN=CA Subsystem,O=EXAMPLE.COM; issuer CN=Certificate Authority,O=EXAMPLE.COM [21/Sep/2016:21:53:42.066776737 +0200] conn=49 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
The client certificate should be mapped to pkidbuser
.