mirror of https://github.com/tLDP/LDP
*** empty log message ***
This commit is contained in:
parent
baae6f4251
commit
6a00333161
|
@ -31,7 +31,8 @@
|
|||
<AUTHOR><FIRSTNAME>Giuseppe</FIRSTNAME>
|
||||
<OTHERNAME>Lo</OTHERNAME>
|
||||
<SURNAME>Biondo</SURNAME>
|
||||
<AFFILIATION><ORGNAME><ULINK URL=""></ULINK></ORGNAME>
|
||||
<AFFILIATION><ORGNAME><ULINK
|
||||
URL="http://www.mi.infn.it">INFN MI</ULINK></ORGNAME>
|
||||
<ADDRESS FORMAT="LINESPECIFIC"><EMAIL>giuseppe.lobiondo@mi.infn.it</EMAIL></ADDRESS></AFFILIATION></AUTHOR>
|
||||
<ABSTRACT><PARA>We are trying to use Ldap as a central database to store all users-related information. This document describes the process of HOW TO do this. Currently supported are the standard pam-authenticated login services, usage of a company-wide addressbook, and the storage of sendmails routing information.</PARA></ABSTRACT>
|
||||
<REVHISTORY><REVISION><REVNUMBER>0.1</REVNUMBER>
|
||||
|
@ -58,7 +59,9 @@
|
|||
<PARA>This document is provided as is and should be considered as a work in progress. Several sections are as yet unfinished, and probably a lot of things that should be in here, aren't. I would greatly appreciate any comments on this document, of whatever nature they may be.</PARA>
|
||||
<PARA>In any case, think before you go messing around with your system and don't come to me if it breaks.</PARA></SECT2>
|
||||
<SECT2><TITLE>Copyright and license</TITLE>
|
||||
<PARA>Copyright (c) by Roel van Meer. This document may be distributed only subject to the terms and conditions set forth in the LDP License at the <ULINK URL="http://www.linuxdoc.org/COPYRIGHT.html">Linux Documentation Project</ULINK>.</PARA></SECT2></SECT1>
|
||||
<PARA>Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. This document
|
||||
may be distributed only subject to the terms and conditions set forth in
|
||||
the LDP License at the <ULINK URL="http://www.linuxdoc.org/COPYRIGHT.html">Linux Documentation Project</ULINK>.</PARA></SECT2></SECT1>
|
||||
§ionpamnss;
|
||||
§ionsasl;
|
||||
§ionradius;
|
||||
|
|
|
@ -1,2 +1,132 @@
|
|||
<SECT1 ID="certificates"><TITLE>Publishing digital certificates with LDAP</TITLE>
|
||||
<PARA></PARA></SECT1>
|
||||
|
||||
<PARA> This section focuses on how to publish digital certificates into an ldap
|
||||
server. You need to publish digital certificates if you run a Certificaton
|
||||
Authority. Publishing to LDAP is a simple way to make this information available
|
||||
in the network .Also many certificate aware software uses LDAP as a preferred
|
||||
repository for user certificates.
|
||||
</PARA>
|
||||
|
||||
<PARA> This allows to keep users certificates with the rest of the user
|
||||
information avoiding useless replication of data.
|
||||
</PARA>
|
||||
|
||||
<PARA> To deal with certificates you need a cryptographic toolkit, the one used
|
||||
here is OpenSSL. </PARA>
|
||||
|
||||
|
||||
<SECT2><TITLE>LDAP Server configuration</TITLE>
|
||||
|
||||
<PARA> The LDAP server used here is OpenLDAP 2.0.x.</PARA>
|
||||
|
||||
<PARA> Your LDAP server must support objectclasses that allows attributes to
|
||||
store certificates. In particular you need to store in the LDAP server the
|
||||
Certification Authority certificate, the Certificate Revocation List, the
|
||||
Authority Revocation List and end users certificates.</PARA>
|
||||
|
||||
<PARA> The <FILENAME>certificationAuthority</FILENAME> objectclass implements
|
||||
the <FILENAME>authorityRevocationList</FILENAME>,
|
||||
<FILENAME>certificateRevocationList</FILENAME> and
|
||||
<FILENAME>cACertificate</FILENAME> attributes.</PARA>
|
||||
|
||||
<PARA>The <FILENAME>inetOrgPerson</FILENAME> objectclass supports the
|
||||
usercertificate (binary) attribute.</PARA>
|
||||
|
||||
<PARA>You can also use the mix-in objectclass
|
||||
<FILENAME>strongAuthenticationUser</FILENAME> to add certificates to non
|
||||
<FILENAME>inetOrgPerson</FILENAME> entries. </PARA>
|
||||
|
||||
<PARA>
|
||||
You can include required schemas to OpenLDAP including the following schemas
|
||||
into your <FILENAME>slapd.conf</FILENAME> file.
|
||||
</PARA>
|
||||
|
||||
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
|
||||
include /usr/local/etc/openldap/schema/core.schema
|
||||
include /usr/local/etc/openldap/schema/cosine.schema
|
||||
include /usr/local/etc/openldap/schema/inetorgperson.schema
|
||||
</PROGRAMLISTING></PARA>
|
||||
</SECT2>
|
||||
|
||||
<SECT2><TITLE>Certificate Publishing</TITLE>
|
||||
|
||||
<PARA> Certificates are encoded using ASN.1 DER (Distingushed Encoding Rules).
|
||||
So it must be published into the LDAP server as a binary piece of data (using
|
||||
BER encoding). </PARA>
|
||||
|
||||
<PARA>
|
||||
You can convert a pem certificate into der format using openssl
|
||||
</PARA>
|
||||
|
||||
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
|
||||
openssl x509 -outform DER -in incert.pem -out outcert.der
|
||||
</PROGRAMLISTING></PARA>
|
||||
|
||||
<PARA>
|
||||
Then an LDIF file can be created using the <FILENAME>ldif</FILENAME> utility
|
||||
provided with OpenLDAP. The command:
|
||||
</PARA>
|
||||
|
||||
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
|
||||
ldif -b "usercertificate;binary" < outcert.der > cert.ldif
|
||||
</PROGRAMLISTING></PARA>
|
||||
|
||||
<PARA> creates an usercertificate attribute encoded in BASE64. You can add
|
||||
this certificate to an LDIF entry and then use <FILENAME>ldapmodify</FILENAME>
|
||||
to add the certificate to an entry. </PARA>
|
||||
|
||||
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
|
||||
ldapmodify -x -W -D "cn=Manager,dc=yourorg,dc=com" -f cert.ldif
|
||||
</PROGRAMLISTING></PARA>
|
||||
|
||||
<PARA>
|
||||
Where <FILENAME>cert.ldif</FILENAME> contains something like:
|
||||
</PARA>
|
||||
|
||||
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
|
||||
dn: cn=user,ou=people,dc=yourorg,dc=com
|
||||
changetype: modify
|
||||
add: usercertificate
|
||||
usercertificate;binary:: MIIC2TCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBGMQswCQYD
|
||||
VQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UECxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZO
|
||||
IENBICgyKTAeFw05OTA2MjMxMTE2MDdaFw0wMzA4MDExMTE2MDdaMEYxCzAJBgNVBAYTAklUMQ0w
|
||||
CwYDVQQKEwRJTkZOMRIwEAYDVQQLEwlBdXRob3JpdHkxFDASBgNVBAMTC0lORk4gQ0EgKDIpMIGf
|
||||
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrHdRKJsobcjXz/OsGjyq8v73DbggG3JCGrQZ9f1Vm
|
||||
9RrIWJPwggczqgxwWL6JLPKglxbUjAtUxiZm3fw2kX7FGMUq5JaN/Pk2PT4ExA7bYLnbLGZ9jKJs
|
||||
Dh4bNOKrGRIxRO9Ff+YwmH8EQdoVpSRFbBpNnoDIkHLc4DtzB+B4wwIDAQABo4HWMIHTMAwGA1Ud
|
||||
EwQFMAMBAf8wHQYDVR0OBBYEFK3QjOXGc4j9LqYEYTn9WvSRAcusMG4GA1UdIwRnMGWAFK3QjOXG
|
||||
c4j9LqYEYTn9WvSRAcusoUqkSDBGMQswCQYDVQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UE
|
||||
CxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZOIENBICgyKYIBADALBgNVHQ8EBAMCAQYwEQYJYIZI
|
||||
AYb4QgEBBAQDAgAHMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQQFAAOBgQCDs5b1
|
||||
jmbIYVq2epd5iDjQ109SJ/V7b6DFw2NIl8CWeDPOOjL1E5M8dnlmCDeTR2TlBxqUZaBBJZPqzFdv
|
||||
xpxqsHC0HfkCXAnUe5MaefFNAH9WbxoB/A2pkXtT6WGWed+QsL5wyKJaO4oD9UD5T+x12aGsHcsD
|
||||
Cy3EVEaGEOl+/A==
|
||||
</PROGRAMLISTING></PARA>
|
||||
|
||||
<PARA>
|
||||
It is also possible to specify the certificate in the LDIF file as:
|
||||
</PARA>
|
||||
|
||||
|
||||
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
|
||||
userCertificate;binary:< file:///path/to/cert.der
|
||||
</PROGRAMLISTING></PARA>
|
||||
|
||||
</SECT2>
|
||||
|
||||
<SECT2><TITLE>LDAP Aware Clients</TITLE>
|
||||
|
||||
<PARA>Once you stored certificates in the server you may wonder to retrieve
|
||||
them.</PARA>
|
||||
|
||||
<PARA> Among other clients, Netscape has supprt to retrieve certificates
|
||||
automatically from an LDAP server. Using the Security Panel-->User
|
||||
Certificates-->Search Directory; you can search for certificates in the LDAP
|
||||
dierctory and have them automatically installed in your Netscape certificate
|
||||
database.</PARA>
|
||||
|
||||
<PARA>Another client that has good support for certificates is web2ldap <ULINK
|
||||
URL="http://www.web2ldap.de/">www.web2ldap.de</ULINK> </PARA>
|
||||
|
||||
</SECT2>
|
||||
</SECT1>
|
||||
|
|
|
@ -399,6 +399,14 @@ Communicator certificate database.</PARA> </FOOTNOTE>.</PARA>
|
|||
<PARA>The main configuration file for LDAP clients is
|
||||
<FILENAME>/etc/ldap.conf</FILENAME>.</PARA>
|
||||
|
||||
|
||||
<PARA> Note that if you use nss_ldap, you don't strictly need to use pam_ldap.
|
||||
</PARA>
|
||||
|
||||
<PARA> You can use the pam_unix_auth module instead, since nss_ldap maps all
|
||||
getpw* and getsh* calls into LDAP lookups and pam_unix_auth uses this calls to
|
||||
authenticate users.</PARA>
|
||||
|
||||
<SECT4><TITLE>PAM LDAP Installation and Configuration</TITLE>
|
||||
|
||||
<PARA>To compile and install pam_ldap, do the following:</PARA>
|
||||
|
|
Loading…
Reference in New Issue