[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How can I get user certificates from ldapserver?

To: "'Mehdi Jabal Ameli'" <jabalameli@ce.sharif.edu>, openldap-software@OpenLDAP.org
Subject: RE: How can I get user certificates from ldapserver?
From: Simon Thornton <simon.thornton@swift.com>
Date: Mon, 27 May 2002 12:27:07 +0200
Importance: Normal
In-reply-to: <009001c20446$a26fe860$f42ee1c2@sunset>

Hi Mehdi,

The following script is one I wrote to download all the PKI certificates from an LDAP
server. It works by scanning the the LDAP server for users with the 'rfc822mailbox' entry
(email address) then for each address it retrieves the CN and the certificate, storing the
certificate under the user's name (CN).

The essence of the script is the use of the '-t' option on the ldapsearch, which stores
any retrieved value into a file in the tmp directory. The file it creates has the name
prefix ldap. The script parses the text returned by ldapsearch for 'file://' which
indicates the path/name of the downloaded file.

i.e.:
  certfile=`ldapsearch -h  ${LDAPSRVR} -t -b ${SRCHBASE} -x -LLL " \
      (cn=${username})" "usercertificate;binary" | awk -F 'file://' \
      '{print $2}'`


Hope this helps.


Simon



----------------- cut here ---------------

#!/bin/sh
#
# Author:	Simon N. Thornton
# Date:		05/02/2002
#
# Function:	Retrieve all user PKI certificate from an LDAP server
#		(tested against iPlanet Dir server 4.01)
#		Searches for users with 'rfc822mailbox' attribute then downloads there
#		PKI certificate (usercertificate;binary) into a file. The results are
#		stored under the users name (cn), with the extension .crt and .pem
#
#		The resulting certificate files are useable with MS and Netscape products
#
# LDAP Attribs:	rfc822mailbox
#		usercertificate;binary
#
# Requires:	openssl if crt (binary) to pem conversion required
#		bash
#
# Note:		Modify LDAPSRVR, SRCHBASE, and SRCHCLASS before use

#----------------------- Start of configurable params ------------------

#DEBUG=1			# uncomment for debug
CERTDIR="./certs"		# Directory to store downloaded certs (it's created automatically)
LOGNAME=getcerts		# Log all results here
LOG=$LOGNAME.log

# Set LDAP server name (and any authentication params)
LDAPSRVR="myldap.company.com"

# Set the default search base for your LDAP server
SRCHBASE="ou=yourou,o=yourcompany,c=yourcountry"

# To limit the search still further, enter any class which can identify users with PKI
certificates
# e.g.: SRCHCLASS="(objectclass=entrustUser)"
# Depends on your LDAP schema if there is a specific objectclass used for all users with
PKI certificates
# The generic search class is:  SRCHCLASS="(objectclass=*)"
SRCHCLASS="(objectclass=*)"

# Your domain name (set to "" if no filtering required)
# This is used to filter results so that only users in your domain are checked for certs
DOMAIN="yourdomain.com"

# Set shortcuts for openssl (set to "" if openssl not installed/required)
X509="openssl x509"

# Error message to show when no certificate found
sNOTFND="No certificate found!"

#----------------------- End of configurable params ------------------



# Create a directory to hold the certificate
if [ ! -d $CERTDIR ]; then
	mkdir $CERTDIR
else
	# Clean out
	rm -f $CERTDIR/*.pem $CERTDIR/*.crt
fi

# Change filter if needed
if [ -n "$1" ]; then
	if [ "$1" == "n" ]; then
		SRCHCLASS=""
	else
		SRCHCLASS="($1)"
	fi
fi


# Get the email addresses of all users
echo
echo - Getting a list of all users from LDAP server
echo
allusers=`ldapsearch -h ${LDAPSRVR} -b "$SRCHBASE" -x -LLL "$SRCHCLASS" rfc822mailbox |
grep "^rfc822" | awk '{print tolower($2)}' | grep -i "@${DOMAIN}" | sort | uniq`

rm -f /tmp/ldap*

nUsers=0
nCerts=0
(
	for user in ${allusers}; do
		nUsers=`expr $nUsers \+ 1`
		username=`ldapsearch -h ${LDAPSRVR} -b ${SRCHBASE} -x -LLL "(rfc822mailbox=$user)" cn |
grep "cn:" | awk -F': ' '{print $2}'`
		echo -n "Username: $user/$username"
		certfile=`ldapsearch -h  ${LDAPSRVR} -t -b ${SRCHBASE} -x -LLL "(cn=${username})"
"usercertificate;binary" | awk -F 'file://' '{print $2}'`
		if [ -z "$certfile" ]; then
			echo -n "       "$sNOTFND
		else
			mv $certfile $CERTDIR/$user.crt
			certfile=$CERTDIR/$user

			if [ -n "${X509}" ]; then
				$X509 -in $certfile.crt -inform DER -out $certfile.pem -outform PEM
			fi

			echo -n " Certificate: $certfile.[crt|pem]"
			nCerts=`expr $nCerts \+ 1`
		fi
		echo
	done

	echo
	echo "Users=$nUsers, Certs Found=$nCerts"
	echo
) 2>&1 | tee $LOG

echo
echo "- extracting a list of all users who do not have certificates"
echo
(
	nUsers=`tail -n 10 $LOG | grep 'Users=' | sed -e 's/[=,]/ /g' | awk '{print $2}'`
	grep " $sNOTFND" $LOG | eval "sed 's/$sNOTFND//g'"
	echo
	nUserNoCerts="`cat $LOGNAME-nocerts.log | wc -l | sed 's/ //g'`"
	echo "Users=$nUsers, Users with no certificates=$nUserNoCerts"
	echo
) 2>&1 | tee $LOGNAME-nocerts.log

echo
echo - Logfile written to $LOG
echo - Users with no certificates written to $LOGNAME-nocerts.log
echo - Done!.
echo

# Clean up any temporary files left over from the certificate download
rm -f /tmp/ldap*

#----------------------- End of script ----------------------------

References:
- How can I get user certificates from ldapserver?
  - From: "Mehdi Jabal Ameli" <jabalameli@ce.sharif.edu>

Prev by Date: ldap_add: Already exists
Next by Date: dbnolocking, dbnosync
Index(es):
- Chronological
- Thread