DS Authentication

From Dogtag
Jump to: navigation, search


This page describes the process to set up a user in the DS for PKI server to access the DS.

DS User

During PKI server installation a new user (i.e. pkidbuser) will be created in the database for the PKI server to access the database. This user is added as a replacement for Directory Manager such that it's no longer necessary to store the Directory Manager password in PKI server configuration files.

By default PKI server will still use the Directory Manager, but it can be switched to use this user after installation. This user can be used for basic authentication with username and password or client-certificate authentication.

dn: uid=pkidbuser,<current subsystem's suffix>
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userPassword: <password>
userCertificate: <DER-encoded certificate>
uidNumber: <uid>
gidNumber: <gid>

Separate Database


Shared Database

pki_share_dbuser_dn=uid=pkidbuser,<initial subsystem's suffix>

DS Authentication

Basic Authentication

Pre-Install Configuration

Currently PKI server can only be deployed by a Directory Manager:

pki_ds_bind_dn=cn=Directory Manager

Post-Install Configuration

After installation it can be switched to pkidbuser. See DS Basic Authentication.

Client Certificate Authentication

Pre-Install Configuration (NOT IMPLEMENTED)

pki_ds_client_cert_nickname=subsystemCert cert-pki-ca

Post-Install Configuration

Client-certificate authentication can be enabled post-install. See Enabling Client Certificate Authentication with Internal Database.


$ kinit -kt /etc/dirsrv/ds.keytab ldap/server.example.com@EXAMPLE.COM
$ ldapsearch -Y GSSAPI -h server.example.com -s base -b ""


See ticket #1585 and Configuring Autobind.

Manual Setup

$ ldapmodify -h server.example.com -p 389 -x -D "cn=Directory Manager" -w Secret.123
dn: cn=config
changetype: modify
replace: nsslapd-ldapiautobind
nsslapd-ldapiautobind: on
add: nsslapd-ldapimaptoentries
nsslapd-ldapimaptoentries: on
add: nsslapd-ldapiuidnumbertype
nsslapd-ldapiuidnumbertype: uidNumber
add: nsslapd-ldapigidnumbertype
nsslapd-ldapigidnumbertype: gidNumber
add: nsslapd-ldapientrysearchbase
nsslapd-ldapientrysearchbase: dc=ca,dc=example,dc=com
add: nsslapd-ldapimaprootdn
nsslapd-ldapimaprootdn: cn=Directory Manager

Restart the server:

$ systemctl restart dirsrv@pki-tomcat.service