[Date Prev][Date Next]
SUMMARY Re: client certificates -- howto?
After finishing up the summary I have a few questions:
1) Why isnt ldapwhoami converting "0.9.2342.19200300.100.1.1" to "uid"?
2) Why is the SSF 0?
3) Is there a .ldaprc directive to use the sasl EXTERNAL mech all the
This is a summary of how I created a working client certificate. I
already had server certs working - and this requred setting up a CA for
myself. My directory is setup such that 'uid' is used in the DN. If
yours isnt, I doubt that this will work for you:
I first created a minimal openssl configuration file to teach openssl
about the concept of 'uid':
oid_section = new_oids
[ new_oids ]
[ req ]
default_bits = 1024
default_keyfile = user.key
distinguished_name = req_distinguished_name
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
uid = user id
uid_max = 20
[ v3_req ]
nsCertType = client,email
basicConstraints = critical,CA:false
(it is likely that not all of that is necessary)
I called it 'user-cert.conf'
I generated the private key:
$ openssl genrsa -out USERNAME.key 1024
and then created a 'certificate signing request'
$ openssl req -new -config user-cert.conf -key USERNAME.key \
(all one line)
(how to set up a CA is actualy documented elsewhere)
Now, in the role of the Certificate Authority God I had to make some
changes to the 'openssl.cnf' file:
- in the "[ new_oids ]" section added the line:
- in both the policy_match and policy_anything sections I change
all the existing lies to 'optional' and added:
uid = supplied
- processed the request with the following command:
# openssl ca -config openssl.cnf -out ~USERNAME/certs/USERNAME.crt \
I then returned to being a mear mortal to continue.
- convert the .crt format certificate to something that openldap likes:
$ openssl x509 -inform PEM -outform DER -in USERNAME.crt \
I created a minimal ldif file to update my LDAP user object:
- ran the update:
$ ldapmodify -Z -f ldif
The only change I had to make to slapd.conf were to include the
following lines :
restarted slapd for these to take effect.
I updated my ~/.ldaprc to setup the keys/cert pair so I can actualy use
this... Added the lines:
$ ldapwhoami -Y EXTERNAL -Z
SASL/EXTERNAL authentication started
SASL username: 0.9.2342.19200300.100.1.1=jeffw
SASL SSF: 0