*** empty log message ***

This commit is contained in:
roel 2000-10-26 16:36:59 +00:00
parent baae6f4251
commit 6a00333161
3 changed files with 144 additions and 3 deletions

View File

@ -31,7 +31,8 @@
<AUTHOR><FIRSTNAME>Giuseppe</FIRSTNAME>
<OTHERNAME>Lo</OTHERNAME>
<SURNAME>Biondo</SURNAME>
<AFFILIATION><ORGNAME><ULINK URL=""></ULINK></ORGNAME>
<AFFILIATION><ORGNAME><ULINK
URL="http://www.mi.infn.it">INFN MI</ULINK></ORGNAME>
<ADDRESS FORMAT="LINESPECIFIC"><EMAIL>giuseppe.lobiondo@mi.infn.it</EMAIL></ADDRESS></AFFILIATION></AUTHOR>
<ABSTRACT><PARA>We are trying to use Ldap as a central database to store all users-related information. This document describes the process of HOW TO do this. Currently supported are the standard pam-authenticated login services, usage of a company-wide addressbook, and the storage of sendmails routing information.</PARA></ABSTRACT>
<REVHISTORY><REVISION><REVNUMBER>0.1</REVNUMBER>
@ -58,7 +59,9 @@
<PARA>This document is provided as is and should be considered as a work in progress. Several sections are as yet unfinished, and probably a lot of things that should be in here, aren't. I would greatly appreciate any comments on this document, of whatever nature they may be.</PARA>
<PARA>In any case, think before you go messing around with your system and don't come to me if it breaks.</PARA></SECT2>
<SECT2><TITLE>Copyright and license</TITLE>
<PARA>Copyright (c) by Roel van Meer. This document may be distributed only subject to the terms and conditions set forth in the LDP License at the <ULINK URL="http://www.linuxdoc.org/COPYRIGHT.html">Linux Documentation Project</ULINK>.</PARA></SECT2></SECT1>
<PARA>Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. This document
may be distributed only subject to the terms and conditions set forth in
the LDP License at the <ULINK URL="http://www.linuxdoc.org/COPYRIGHT.html">Linux Documentation Project</ULINK>.</PARA></SECT2></SECT1>
&sectionpamnss;
&sectionsasl;
&sectionradius;

View File

@ -1,2 +1,132 @@
<SECT1 ID="certificates"><TITLE>Publishing digital certificates with LDAP</TITLE>
<PARA></PARA></SECT1>
<PARA> This section focuses on how to publish digital certificates into an ldap
server. You need to publish digital certificates if you run a Certificaton
Authority. Publishing to LDAP is a simple way to make this information available
in the network .Also many certificate aware software uses LDAP as a preferred
repository for user certificates.
</PARA>
<PARA> This allows to keep users certificates with the rest of the user
information avoiding useless replication of data.
</PARA>
<PARA> To deal with certificates you need a cryptographic toolkit, the one used
here is OpenSSL. </PARA>
<SECT2><TITLE>LDAP Server configuration</TITLE>
<PARA> The LDAP server used here is OpenLDAP 2.0.x.</PARA>
<PARA> Your LDAP server must support objectclasses that allows attributes to
store certificates. In particular you need to store in the LDAP server the
Certification Authority certificate, the Certificate Revocation List, the
Authority Revocation List and end users certificates.</PARA>
<PARA> The <FILENAME>certificationAuthority</FILENAME> objectclass implements
the <FILENAME>authorityRevocationList</FILENAME>,
<FILENAME>certificateRevocationList</FILENAME> and
<FILENAME>cACertificate</FILENAME> attributes.</PARA>
<PARA>The <FILENAME>inetOrgPerson</FILENAME> objectclass supports the
usercertificate (binary) attribute.</PARA>
<PARA>You can also use the mix-in objectclass
<FILENAME>strongAuthenticationUser</FILENAME> to add certificates to non
<FILENAME>inetOrgPerson</FILENAME> entries. </PARA>
<PARA>
You can include required schemas to OpenLDAP including the following schemas
into your <FILENAME>slapd.conf</FILENAME> file.
</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
</PROGRAMLISTING></PARA>
</SECT2>
<SECT2><TITLE>Certificate Publishing</TITLE>
<PARA> Certificates are encoded using ASN.1 DER (Distingushed Encoding Rules).
So it must be published into the LDAP server as a binary piece of data (using
BER encoding). </PARA>
<PARA>
You can convert a pem certificate into der format using openssl
</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
openssl x509 -outform DER -in incert.pem -out outcert.der
</PROGRAMLISTING></PARA>
<PARA>
Then an LDIF file can be created using the <FILENAME>ldif</FILENAME> utility
provided with OpenLDAP. The command:
</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
ldif -b "usercertificate;binary" < outcert.der > cert.ldif
</PROGRAMLISTING></PARA>
<PARA> creates an usercertificate attribute encoded in BASE64. You can add
this certificate to an LDIF entry and then use <FILENAME>ldapmodify</FILENAME>
to add the certificate to an entry. </PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
ldapmodify -x -W -D "cn=Manager,dc=yourorg,dc=com" -f cert.ldif
</PROGRAMLISTING></PARA>
<PARA>
Where <FILENAME>cert.ldif</FILENAME> contains something like:
</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
dn: cn=user,ou=people,dc=yourorg,dc=com
changetype: modify
add: usercertificate
usercertificate;binary:: MIIC2TCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBGMQswCQYD
VQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UECxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZO
IENBICgyKTAeFw05OTA2MjMxMTE2MDdaFw0wMzA4MDExMTE2MDdaMEYxCzAJBgNVBAYTAklUMQ0w
CwYDVQQKEwRJTkZOMRIwEAYDVQQLEwlBdXRob3JpdHkxFDASBgNVBAMTC0lORk4gQ0EgKDIpMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrHdRKJsobcjXz/OsGjyq8v73DbggG3JCGrQZ9f1Vm
9RrIWJPwggczqgxwWL6JLPKglxbUjAtUxiZm3fw2kX7FGMUq5JaN/Pk2PT4ExA7bYLnbLGZ9jKJs
Dh4bNOKrGRIxRO9Ff+YwmH8EQdoVpSRFbBpNnoDIkHLc4DtzB+B4wwIDAQABo4HWMIHTMAwGA1Ud
EwQFMAMBAf8wHQYDVR0OBBYEFK3QjOXGc4j9LqYEYTn9WvSRAcusMG4GA1UdIwRnMGWAFK3QjOXG
c4j9LqYEYTn9WvSRAcusoUqkSDBGMQswCQYDVQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UE
CxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZOIENBICgyKYIBADALBgNVHQ8EBAMCAQYwEQYJYIZI
AYb4QgEBBAQDAgAHMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQQFAAOBgQCDs5b1
jmbIYVq2epd5iDjQ109SJ/V7b6DFw2NIl8CWeDPOOjL1E5M8dnlmCDeTR2TlBxqUZaBBJZPqzFdv
xpxqsHC0HfkCXAnUe5MaefFNAH9WbxoB/A2pkXtT6WGWed+QsL5wyKJaO4oD9UD5T+x12aGsHcsD
Cy3EVEaGEOl+/A==
</PROGRAMLISTING></PARA>
<PARA>
It is also possible to specify the certificate in the LDIF file as:
</PARA>
<PARA><PROGRAMLISTING FORMAT="LINESPECIFIC">
userCertificate;binary:< file:///path/to/cert.der
</PROGRAMLISTING></PARA>
</SECT2>
<SECT2><TITLE>LDAP Aware Clients</TITLE>
<PARA>Once you stored certificates in the server you may wonder to retrieve
them.</PARA>
<PARA> Among other clients, Netscape has supprt to retrieve certificates
automatically from an LDAP server. Using the Security Panel-->User
Certificates-->Search Directory; you can search for certificates in the LDAP
dierctory and have them automatically installed in your Netscape certificate
database.</PARA>
<PARA>Another client that has good support for certificates is web2ldap <ULINK
URL="http://www.web2ldap.de/">www.web2ldap.de</ULINK> </PARA>
</SECT2>
</SECT1>

View File

@ -399,6 +399,14 @@ Communicator certificate database.</PARA> </FOOTNOTE>.</PARA>
<PARA>The main configuration file for LDAP clients is
<FILENAME>/etc/ldap.conf</FILENAME>.</PARA>
<PARA> Note that if you use nss_ldap, you don't strictly need to use pam_ldap.
</PARA>
<PARA> You can use the pam_unix_auth module instead, since nss_ldap maps all
getpw* and getsh* calls into LDAP lookups and pam_unix_auth uses this calls to
authenticate users.</PARA>
<SECT4><TITLE>PAM LDAP Installation and Configuration</TITLE>
<PARA>To compile and install pam_ldap, do the following:</PARA>