neuron ring
2009-Mar-27 12:51 UTC
[Fedora-directory-users] Certificate to LDAP mapping problem
Hi lambam, I am trying to do LDAP client certificate mapping. I had given an insight of my configuration. My certmap.conf file: certmap example ou=employees,o=us.com ------------- this is the DN of the CA issuer, example:verifycert on example:DNComps cn,email,roomNumber example:FilterComps l,email,uid,telephoneNumber example:CmapLdapAttr certSubjectDN Generation of CA cert: certutil -S -n "CertCA" -s "ou= employees,o= us.com" -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db> -z noise.txt –f pwdfile.txt Is this correct. I assume ou=employees,o=us.com is my CA cert issuer. So I am using it as issuerDN value in certmap.conf. creating client certificate. certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d <path/to/instance cert db> -z noise.txt –f pwdfile.txt and adding userCertificate;binary attribute to that user entry, after creating binary certificate. certutil -L -d <instance-path> -n "certuser" -r >usercert.bin When I try to ldapsearch: ldapsearch -h myhost -p 636 -Z -P /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com" cn=certuser ldap_sasl_bind: Invalid credentials ldap_sasl_bind: additional info: client certificate mapping failed But when I change the issuerDN in certmap.conf file to whatever dn (even if it is non-existing and invalid) I am getting the search Result properly. But the criteria is the issuerDN in certmap.conf should be exactly the same DN whose issues the CA certificate. The problem is whenever I use correct issuerDN in first line of certmap.conf file I am getting error. I am totally confused. Can somebody help me to get rid of this problem? Thanks in advance, Neuron Ring. Hello Neron Ring. Certificate to LDAP Mapping: http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf Page 198 ish. API: ---->From page 201 of the above guide:< You can use the Certificate Mapping API to create your own properties. For < information on using the Certificate Mapping API, see “Certificate Mapping SDKs” < at the following URL - which is followed by a defunct link. Try here, rather: http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/ I hope this helps, laters. I''ll keep an eye out for further questions along this line. -------------------------------------------------------------------------------- Date: Tue, 24 Mar 2009 17:51:50 +0530 From: neuronring@gmail.com To: fedora-directory-users@redhat.com Subject: [Fedora-directory-users] Certificate to LDAP Mapping API Hi all, I need to use “Certificate to LDAP Mapping” functionality. The README file in the source ldapserver/lib/ldaputil/examples path suggests: Refer "Certificate to LDAP Mapping API" documentation to find out about the various API functions and how you can write your plug-in. And also to refer “Managing servers” manual. But I couldn’t get those documents. How can I write my own plug-in for LDAP Mapping? Or what can I do with Certmap.conf file to configure Certificate to LDAP Mapping. Can somebody provide link to that document or explain what is Certificate to LDAP Mapping. Thanks in advance, Neuron Ring.
Rich Megginson
2009-Mar-28 18:55 UTC
Re: [Fedora-directory-users] Certificate to LDAP mapping problem
neuron ring wrote:> > Hi lambam, > > I am trying to do LDAP client certificate mapping. I had given an > insight of my configuration. > > My certmap.conf file: > > certmap example ou=employees,o=us.com <http://us.com> -------------? > this is the DN of the CA issuer, > example:verifycert on > example:DNComps cn,email,roomNumber >Try example:DNComps ou,o> > example:FilterComps l,email,uid,telephoneNumber >example:FilterComps cn> > example:CmapLdapAttr certSubjectDN >I don''t think you want to use CmapLdapAttr See http://directory.fedoraproject.org/wiki/Howto:CertMapping for more information> > > Generation of CA cert: > > certutil -S -n "CertCA" -s "ou= employees,o= us.com <http://us.com>" > -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db> > -z noise.txt f pwdfile.txt > > Is this correct. > > I assume ou=employees,o=us.com <http://us.com> is my CA cert issuer. > So I am using it as issuerDN value in certmap.conf. > > creating client certificate. > > certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com > <http://us.com> " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d > <path/to/instance cert db> -z noise.txt f pwdfile.txt > > and adding userCertificate;binary attribute to that user entry, after > creating binary certificate. > > certutil -L -d <instance-path> -n "certuser" -r >usercert.bin > > When I try to ldapsearch: > > ldapsearch -h myhost -p 636 -Z -P > /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K > /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com > <http://us.com>" cn=certuser > > ldap_sasl_bind: Invalid credentials > ldap_sasl_bind: additional info: client certificate mapping failed > > But when I change the issuerDN in certmap.conf file to whatever dn > (even if it is non-existing and invalid) I am getting the search > Result properly. But the criteria is the issuerDN in certmap.conf > should be exactly the same DN whose issues the CA certificate. > > The problem is whenever I use correct issuerDN in first line of > certmap.conf file I am getting error. > > I am totally confused. Can somebody help me to get rid of this problem? > > Thanks in advance, > Neuron Ring. > > Hello Neron Ring. > > > Certificate to LDAP Mapping: > > http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf > > Page 198 ish. > > API: > ---- > > >From page 201 of the above guide: > > > < You can use the Certificate Mapping API to create your own > properties. For > > < information on using the Certificate Mapping API, see Certificate > Mapping SDKs > > < at the following URL - which is followed by a defunct link. > > Try here, rather: > > http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/ > > I hope this helps, laters. I''ll keep an eye out for further questions > along this line. > > > -------------------------------------------------------------------------------- > Date: Tue, 24 Mar 2009 17:51:50 +0530 > From: neuronring@gmail.com <mailto:neuronring@gmail.com> > To: fedora-directory-users@redhat.com > <mailto:fedora-directory-users@redhat.com> > Subject: [Fedora-directory-users] Certificate to LDAP Mapping API > > Hi all, > > I need to use Certificate to LDAP Mapping functionality. > > The README file in the source ldapserver/lib/ldaputil/examples path > suggests: > Refer "Certificate to LDAP Mapping API" documentation to find out > about the various API functions and how you can write your > plug-in. > > And also to refer Managing servers manual. But I couldnt get those > documents. How can I write my own plug-in for LDAP Mapping? > > Or what can I do with Certmap.conf file to configure Certificate to > LDAP Mapping. > > Can somebody provide link to that document or explain > what is Certificate to LDAP Mapping. > > Thanks in advance, > Neuron Ring. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >