Dear Peter,
Thanks for the reply, it worked. Now i am concerned in authenticating OpenXPKI
with LDAP over TLS/SSL. How can i enable it and what changes will be required ?
Best Regards
Scotty
________________________________
From: "[email protected]" <[email protected]>
To: [email protected]
Sent: Thu, November 19, 2009 3:52:31 PM
Subject: Re: [OpenXPKI-users] openxpki ldap integration problem
Hi, Thomas,
sorry for long pauses, i am struggling H1N1.
>> What sort of Authentication? You can use LDAP for Authentication in
>> OpenXPKI (see manual for OpenXPKI::Server::Authentication::LDAP).
>> Authenication module test details may be useful: to see them
>> go to the directory 't' in the OpenXPKI server sources tree and look through
>> the files ./50_auth/09.t and ./50_auth/auth.xml.
> User Authentication, it seems that it exists.
> Then how can i enable? Is there any documentation describing it?
Unfortunately the sources of info I have already mentioned are all
that you can access at the moment:
# man OpenXPKI::Server::Authentication::LDAP
50_auth/09.t and 50_auth/auth.xml
To enable it you should change your auth.xml - add there some
tags concerning LDAP Authentication as in 50_auth/auth.xml -
use it as example:
<stack name="LDAP user">
<description>
This is the external LDAP based login with a static role.
</description>
<handler>LDAP user</handler>
</stack>
<handler name="LDAP user" type="LDAP">
<description>
This is the external LDAP based login with a static role.
</description>
<host>localhost</host>
<port>389</port>
<base>o=Security,dc=openxpki,dc=org</base>
<version>3</version>
<bind_dn>cn=Manager,dc=openxpki,dc=org</bind_dn>
<bind_pw>your_big_secret</bind_pw>
<use_tls>false</use_tls>
<capath>no</capath>
<searchattr>cn</searchattr>
<searchvalueprefix>OpenXPKI User </searchvalueprefix>
<auth_meth_attr>uid</auth_meth_attr>
<default_auth_meth>bind</default_auth_meth>
<auth_meth_map>
<attr_value>X1</attr_value>
<auth_meth>pwattr</auth_meth>
</auth_meth_map>
<auth_meth_map>
<attr_value>X2</attr_value>
<auth_meth>bind</auth_meth>
</auth_meth_map>
<pw_attr>userPassword</pw_attr>
<pw_attr_hash>sha1</pw_attr_hash>
<role_attr>title</role_attr>
<role_map>
<value>manager</value>
<role>User</role>
</role_map>
<role_map>
<value>programmer</value>
<role>RA Operator</role>
</role_map>
<role_map>
<value>CEO</value>
<role>CA Operator</role>
</role_map>
</handler>
But before doing it you should make some security decisions:
1) how do you want OpenXPKI to authorize itself while connecting to LDAP
server (simple bind via login/password, SSL, TLS)
2) what ldap node attribute will define the role of the authorized person;
(in the example above it is 'title' , 'manager' is getting 'User' role
after authentication, 'programmer' - RA Operator, 'CEO' - 'CA Operator')
3) what authentication method do you prefer - simple bind to ldap server
using login/password or comparing the password hash to the hash stored
in the <pw_attr> ('userPassword' in the example) of the user
LDAP database record.
Then you should create the user nodes in LDAP database with the
attributes required being preset to the proper values.
For our example of auth.xml it may be like this:
dn: cn=OpenXPKI User Scott,o=Security,dc=openxpki,dc=org
cn: OpenXPKI User Scott
sn: Thomas
title: manager
uid: X1
userPassword: your_password
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: opencaEmailAddress
objectclass: pkiUser
Then it will be possible for you to enter OpenXPKI as 'User' if
you select 'LDAP authentication method' and use 'Scott' as login
and 'your_password' as password. Server will find the LDAP record
having 'cn=OpenXPKI User Scott' attribute
('OpenXPKI User ' is a prefix specified in auth.xml, it is an optional feature)
and see that your 'uid' is 'X1' - that means
that to finish your authentication server must just try to connect to
LDAP server as 'cn=OpenXPKI User Scott,o=Security,dc=openxpki,dc=org'
with your password. In the case of successful connection OpenXPKI
will let you in as 'User' (your 'title' attribute value defines your
role as written in auth.xml).
See, that was just an example, sure it is not really good to use 'uid'
for selecting the authentication type. You should decide what LDAP
schema you need and what attributes can serve as authentication type
selectors. In the case you do not want to spend time on it
<default_auth_meth> tag in auth.xml can be used to specify the
default authentication method. Then your LDAP record may have no
'uid' attribute at all.
Best regards,
Peter Grigoriev.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
