Skip to content

Publishing User Certificates to LDAP Server

Jump to bottom
Endi S. Dewata edited this page Aug 31, 2022 · 10 revisions

Overview

This page describes the process to configure CA to publish user certificates to an LDAP server.

Preparing LDAP Server

Prepare the publishing subtree:

$ ldapadd \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: ou=people,dc=pki,dc=example,dc=com
objectClass: organizationalUnit
ou: people

Add the users, for example:

$ ldapadd \
    -H ldap://$HOSTNAME:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: uid=testuser,ou=people,dc=pki,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User

Configuring User Certificate Publishing

The user certificate publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.

To configure the LDAP connection:

$ pki-server ca-config-set ca.publish.ldappublish.enable true
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host $HOSTNAME
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 389
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb
$ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.clientCertNickname ""

To configure LDAP-based user certificate publisher:

$ pki-server ca-config-set ca.publish.publisher.instance.LdapUserCertPublisher.certAttr "userCertificate;binary"
$ pki-server ca-config-set ca.publish.publisher.instance.LdapUserCertPublisher.pluginName LdapUserCertPublisher

To configure user certificate mapper:

$ pki-server ca-config-set ca.publish.mapper.instance.LdapUserCertMap.dnPattern "uid=\$subj.UID,ou=people,dc=pki,dc=example,dc=com"
$ pki-server ca-config-set ca.publish.mapper.instance.LdapUserCertMap.pluginName LdapSimpleMap

To configure user certificate publishing rule:

$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.enable true
$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.mapper LdapUserCertMap
$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.pluginName Rule
$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.predicate ""
$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.publisher LdapUserCertPublisher
$ pki-server ca-config-set ca.publish.rule.instance.LdapUserCertRule.type certs

To enable publishing:

$ pki-server ca-config-set ca.publish.enable true

Finally, restart the server.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally