Comments (4)
Comment from vakwetu (@vakwetu) at 2012-02-23 23:18:31
Additional steps needed to set up client auth for dogtag. This is because we These steps will be automatically set up in IPA, but they need to be documented for the standalone case.
- Install CA cert in directory server and trust it (or specifically security domain CA cert).
- Enable ssl on the CA (and ldaps port).
- Add something like the following to certmap.conf
certmap ipaca CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on
where the first line is the issuer dn of the CA cert for your security domain CA.
- Restart the DS.
- Modify the following in CS.cfg:
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
authz.instance.DirAclAuthz.ldap.ldapconn.host=vm-100.idm.lab.bos.redhat.com
authz.instance.DirAclAuthz.ldap.ldapconn.port=636
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.host=vm-100.idm.lab.bos.redhat.com
internaldb.ldapconn.port=636
internaldb.ldapconn.secureConn=true
- Restart CS component. (works for java components)
from pki.
Comment from vakwetu (@vakwetu) at 2012-02-24 16:20:56
Pushed to master and dogtag 9
from pki.
Comment from vakwetu (@vakwetu) at 2012-08-22 18:37:14
Just for documentation completeness. The fix for this issue occurred on dogtag 9 in the following commits:
The acls required for the new db user are specified in a new manager.ldif file, which is copied here so that anyone who wants to add a similar user can provide the relevant acls.
acis for cert manager
dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers
dn: {rootSuffix}
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
dn: cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
dn: cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
dn: ou=csusers,cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
from pki.
Comment from vakwetu (@vakwetu) at 2017-02-27 14:01:23
Metadata Update from @vakwetu:
- Issue assigned to vakwetu
- Issue set to the milestone: Dogtag 10.0.0.a1
from pki.
Related Issues (20)
- WARNING: SubjectAltNameExtDefault: gname is empty,not added
- ACME server: RFC 8555 violation: Support ES256 HOT 8
- Eclipse Setup HOT 1
- Publisher not working
- No such command: builddep when building CA Container HOT 1
- Test failures on Fedora 40 HOT 9
- FreeIPA: on a replica, ipa ca-del subca fails with @pki/master repo HOT 5
- Freeipa: adding subca in loop fails with Non-2xx response from CA REST API: 500 HOT 5
- Intermittent authentication failure
- IPA test_sign_smime_csr_full_principal failed
- Intermittent EST test failure
- dogtag with podman, systemd service inactive (dead) on restart HOT 2
- Log rotation can break ipa-kra-install HOT 1
- Nightly test failure with @pki/master copr repo HOT 16
- Intermittent CertStatusUpdateTask failure
- Intermittent SerialNumberUpdateTask failure
- Occasional 500 errors / ajp_read_header: ajp_ilink_receive failed messages have started appearing
- Guidance Needed: Intermittent Unresponsiveness in Dogtag PKI Web Services in Podman Container Linked to 389ds Undefined Backend Issues HOT 2
- OCSP ansible CI error HOT 1
- IPA server installation with externally-signed CA fails (with @pki/master copr repo) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pki.