Hi lambam,
I am trying to do LDAP client certificate mapping. I had given an insight of my configuration.
My certmap.conf file:
certmap example ou=employees,o=us.com -------------� this is the DN of the CA issuer, example:verifycert on example:DNComps cn,email,roomNumber example:FilterComps l,email,uid,telephoneNumber example:CmapLdapAttr certSubjectDN
Generation of CA cert:
certutil -S -n "CertCA" -s "ou= employees,o= us.com" -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db> -z noise.txt –f pwdfile.txt
Is this correct.
I assume ou=employees,o=us.com is my CA cert issuer. So I am using it as issuerDN value in certmap.conf.
creating client certificate.
certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d <path/to/instance cert db> -z noise.txt –f pwdfile.txt
and adding userCertificate;binary attribute to that user entry, after creating binary certificate.
certutil -L -d <instance-path> -n "certuser" -r >usercert.bin
When I try to ldapsearch:
ldapsearch -h myhost -p 636 -Z -P /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com" cn=certuser
ldap_sasl_bind: Invalid credentials ldap_sasl_bind: additional info: client certificate mapping failed
But when I change the issuerDN in certmap.conf file to whatever dn (even if it is non-existing and invalid) I am getting the search Result properly. But the criteria is the issuerDN in certmap.conf should be exactly the same DN whose issues the CA certificate.
The problem is whenever I use correct issuerDN in first line of certmap.conf file I am getting error.
I am totally confused. Can somebody help me to get rid of this problem?
Thanks in advance, Neuron Ring.
Hello Neron Ring.
Certificate to LDAP Mapping:
http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf
Page 198 ish.
API: ----
From page 201 of the above guide:
< You can use the Certificate Mapping API to create your own properties. For
< information on using the Certificate Mapping API, see “Certificate Mapping SDKs”
< at the following URL - which is followed by a defunct link.
Try here, rather:
http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/
I hope this helps, laters. I'll keep an eye out for further questions along this line.
-------------------------------------------------------------------------------- Date: Tue, 24 Mar 2009 17:51:50 +0530 From: neuronring@gmail.com To: fedora-directory-users@redhat.com Subject: [Fedora-directory-users] Certificate to LDAP Mapping API
Hi all,
I need to use “Certificate to LDAP Mapping” functionality.
The README file in the source ldapserver/lib/ldaputil/examples path suggests: Refer "Certificate to LDAP Mapping API" documentation to find out about the various API functions and how you can write your plug-in.
And also to refer “Managing servers” manual. But I couldn’t get those documents. How can I write my own plug-in for LDAP Mapping?
Or what can I do with Certmap.conf file to configure Certificate to LDAP Mapping.
Can somebody provide link to that document or explain what is Certificate to LDAP Mapping.
Thanks in advance, Neuron Ring.
neuron ring wrote:
Hi lambam,
I am trying to do LDAP client certificate mapping. I had given an insight of my configuration.
My certmap.conf file:
certmap example ou=employees,o=us.com http://us.com -------------? this is the DN of the CA issuer, example:verifycert on example:DNComps cn,email,roomNumber
Try example:DNComps ou,o
example:FilterComps l,email,uid,telephoneNumber
example:FilterComps cn
example:CmapLdapAttr certSubjectDN
I don't think you want to use CmapLdapAttr
See http://directory.fedoraproject.org/wiki/Howto:CertMapping for more information
Generation of CA cert:
certutil -S -n "CertCA" -s "ou= employees,o= us.com http://us.com" -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db> -z noise.txt f pwdfile.txt
Is this correct.
I assume ou=employees,o=us.com http://us.com is my CA cert issuer. So I am using it as issuerDN value in certmap.conf.
creating client certificate.
certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com http://us.com " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d <path/to/instance cert db> -z noise.txt f pwdfile.txt
and adding userCertificate;binary attribute to that user entry, after creating binary certificate.
certutil -L -d <instance-path> -n "certuser" -r >usercert.bin
When I try to ldapsearch:
ldapsearch -h myhost -p 636 -Z -P /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com http://us.com" cn=certuser
ldap_sasl_bind: Invalid credentials ldap_sasl_bind: additional info: client certificate mapping failed
But when I change the issuerDN in certmap.conf file to whatever dn (even if it is non-existing and invalid) I am getting the search Result properly. But the criteria is the issuerDN in certmap.conf should be exactly the same DN whose issues the CA certificate.
The problem is whenever I use correct issuerDN in first line of certmap.conf file I am getting error.
I am totally confused. Can somebody help me to get rid of this problem?
Thanks in advance, Neuron Ring.
Hello Neron Ring.
Certificate to LDAP Mapping:
http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf
Page 198 ish.
API:
From page 201 of the above guide:
< You can use the Certificate Mapping API to create your own properties. For
< information on using the Certificate Mapping API, see Certificate Mapping SDKs
< at the following URL - which is followed by a defunct link.
Try here, rather:
http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/
I hope this helps, laters. I'll keep an eye out for further questions along this line.
Date: Tue, 24 Mar 2009 17:51:50 +0530 From: neuronring@gmail.com mailto:neuronring@gmail.com To: fedora-directory-users@redhat.com mailto:fedora-directory-users@redhat.com Subject: [Fedora-directory-users] Certificate to LDAP Mapping API
Hi all,
I need to use Certificate to LDAP Mapping functionality.
The README file in the source ldapserver/lib/ldaputil/examples path suggests: Refer "Certificate to LDAP Mapping API" documentation to find out about the various API functions and how you can write your plug-in.
And also to refer Managing servers manual. But I couldnt get those documents. How can I write my own plug-in for LDAP Mapping?
Or what can I do with Certmap.conf file to configure Certificate to LDAP Mapping.
Can somebody provide link to that document or explain what is Certificate to LDAP Mapping.
Thanks in advance, Neuron Ring.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org