-
Notifications
You must be signed in to change notification settings - Fork 0
On RHEL 6 IPA uses separate DS instances for IPA and PKI:
-
slapd-EXAMPLE-COM-
port:
389 -
namespace:
dc=example,dc=com
-
-
slapd-PKI-IPA-
port:
7389 -
namespace:
o=ipaca
-
On RHEL 7 IPA uses only one DS instance:
-
port:
389/636 -
namespaces:
-
dc=example,dc=com -
o=ipaca
-
Configure certificate mapping in /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf:
# search entire directory for (uid=<UID in subject DN>) certmap default default default:DNComps default:FilterComps uid # search entire directory for (seeAlso=<subject DN>) # then compare client certificate with userCertificate certmap example CN=Certificate Authority,O=EXAMPLE.COM example:CmapLdapAttr seeAlso example:verifycert on
List the DS certificates with this command:
$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C
Server-Cert u,u,u
Make sure the nicknames and trust attributes are as shown above.
Check each certificate with the following command:
$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM -n "<nickname>"
Verify that the following information is correct:
-
subject DN
-
issuer DN
-
validity dates
-
certificate usages
List the PKI certificates with this command:
$ certutil -L -d /var/lib/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Make sure the nicknames and trust attributes are as shown above.
Check each certificate with the following command:
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "<nickname>"
Verify that the following information is correct:
-
subject DN
-
issuer DN
-
validity dates
-
certificate usages
Find the subsystem certificate nickname in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
$ grep internaldb.ldapauth.clientCertNickname /var/lib/pki/pki-tomcat/ca/conf/CS.cfg internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
Use the certificate to authenticate against the DS:
$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /var/lib/pki/pki-tomcat/alias/password.txt
$ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/alias/password.txt
$ chmod 400 /var/lib/pki/pki-tomcat/alias/password.txt
$ LDAPTLS_CACERTDIR=/var/lib/pki/pki-tomcat/alias \
LDAPTLS_CERT="subsystemCert cert-pki-ca" \
LDAPTLS_KEY=/var/lib/pki/pki-tomcat/alias/password.txt \
ldapsearch -H ldaps://$HOSTNAME:636 -b "o=ipaca" -s one "(objectClass=*)"
Note: The ldapsearch command should not contain -x, -D, or -w options.
The search operation should return these entries:
dn: ou=people,o=ipaca dn: ou=groups,o=ipaca dn: ou=requests,o=ipaca dn: cn=crossCerts,o=ipaca dn: ou=ca,o=ipaca dn: ou=replica,o=ipaca dn: ou=ranges,o=ipaca dn: cn=aclResources,o=ipaca dn: ou=Security Domain,o=ipaca
Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access:
[21/Sep/2016:21:53:42.063195010 +0200] conn=49 TLS1.2 256-bit AES-GCM; client CN=CA Subsystem,O=EXAMPLE.COM; issuer CN=Certificate Authority,O=EXAMPLE.COM [21/Sep/2016:21:53:42.066776737 +0200] conn=49 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
The client certificate should be mapped to pkidbuser.