[Fedora-directory-users] Certificate to LDAP mapping problem

Sat Mar 28 18:55:33 UTC 2009

neuron ring wrote:
>
> Hi lambam,
>
> I am trying to do LDAP client certificate mapping. I had given an 
> insight of my configuration.
>
> My certmap.conf file:
>
> certmap example ou=employees,o=us.com <http://us.com> -------------? 
> this is the DN of the CA issuer,
> example:verifycert on
> example:DNComps cn,email,roomNumber
>
Try
example:DNComps ou,o
>
> example:FilterComps l,email,uid,telephoneNumber
>
example:FilterComps cn
>
> example:CmapLdapAttr certSubjectDN
>
I don't think you want to use CmapLdapAttr

See http://directory.fedoraproject.org/wiki/Howto:CertMapping
for more information
>
>
> Generation of CA cert:
>
> certutil -S -n "CertCA" -s "ou= employees,o= us.com <http://us.com>" 
> -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db>
> -z noise.txt –f pwdfile.txt
>
> Is this correct.
>
> I assume ou=employees,o=us.com <http://us.com> is my CA cert issuer. 
> So I am using it as issuerDN value in certmap.conf.
>
> creating client certificate.
>
> certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com 
> <http://us.com> " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d 
> <path/to/instance cert db> -z noise.txt –f pwdfile.txt
>
> and adding userCertificate;binary attribute to that user entry, after 
> creating binary certificate.
>
> certutil -L -d <instance-path> -n "certuser" -r >usercert.bin
>
> When I try to ldapsearch:
>
> ldapsearch -h myhost -p 636 -Z -P 
> /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K 
> /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com 
> <http://us.com>" cn=certuser
>
> ldap_sasl_bind: Invalid credentials
> ldap_sasl_bind: additional info: client certificate mapping failed
>
> But when I change the issuerDN in certmap.conf file to whatever dn 
> (even if it is non-existing and invalid) I am getting the search
> Result properly. But the criteria is the issuerDN in certmap.conf 
> should be exactly the same DN whose issues the CA certificate.
>
> The problem is whenever I use correct issuerDN in first line of 
> certmap.conf file I am getting error.
>
> I am totally confused. Can somebody help me to get rid of this problem?
>
> Thanks in advance,
> Neuron Ring.
>
> Hello Neron Ring.
>
>
> Certificate to LDAP Mapping:
>
> http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf
>
> Page 198 ish.
>
> API:
> ----
>
> >From page 201 of the above guide:
>
>
> < You can use the Certificate Mapping API to create your own 
> properties. For
>
> < information on using the Certificate Mapping API, see “Certificate 
> Mapping SDKs”
>
> < at the following URL - which is followed by a defunct link.
>
> Try here, rather:
>
> http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/
>
> I hope this helps, laters. I'll keep an eye out for further questions
> along this line.
>
>
> --------------------------------------------------------------------------------
> Date: Tue, 24 Mar 2009 17:51:50 +0530
> From: neuronring at gmail.com <mailto:neuronring at gmail.com>
> To: fedora-directory-users at redhat.com 
> <mailto:fedora-directory-users at redhat.com>
> Subject: [Fedora-directory-users] Certificate to LDAP Mapping API
>
> Hi all,
>
> I need to use “Certificate to LDAP Mapping” functionality.
>
> The README file in the source ldapserver/lib/ldaputil/examples path 
> suggests:
> Refer "Certificate to LDAP Mapping API" documentation to find out 
> about the various API functions and how you can write your
> plug-in.
>
> And also to refer “Managing servers” manual. But I couldn’t get those 
> documents. How can I write my own plug-in for LDAP Mapping?
>
> Or what can I do with Certmap.conf file to configure Certificate to 
> LDAP Mapping.
>
> Can somebody provide link to that document or explain
> what is Certificate to LDAP Mapping.
>
> Thanks in advance,
> Neuron Ring.
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090328/4ebf45b8/attachment.bin>