IPA DS Installation

From Dogtag
Jump to: navigation, search

Overview

On RHEL 6 IPA uses separate DS instances for IPA and PKI:

  • slapd-EXAMPLE-COM
    • port: 389
    • namespace: dc=example,dc=com
  • slapd-PKI-IPA
    • port: 7389
    • namespace: o=ipaca

On RHEL 7 IPA uses only one DS instance:

  • port: 389/636
  • namespaces:
    • dc=example,dc=com
    • o=ipaca

DS Installation

Configure certificate mapping in /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf:

# search entire directory for (uid=<UID in subject DN>)
certmap default         default
default:DNComps
default:FilterComps     uid

# search entire directory for (seeAlso=<subject DN>)
# then compare client certificate with userCertificate
certmap example         CN=Certificate Authority,O=EXAMPLE.COM
example:CmapLdapAttr    seeAlso
example:verifycert      on

Verifying DS Certificates

List the DS certificates with this command:

$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C
Server-Cert                                                  u,u,u

Make sure the nicknames and trust attributes are as shown above.

Check each certificate with the following command:

$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM -n "<nickname>"

Verify that the following information is correct:

  • subject DN
  • issuer DN
  • validity dates
  • certificate usages

Verifying PKI Certificates

List the PKI certificates with this command:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

Make sure the nicknames and trust attributes are as shown above.

Check each certificate with the following command:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "<nickname>"

Verify that the following information is correct:

  • subject DN
  • issuer DN
  • validity dates
  • certificate usages

Verifying DS Connection in PKI

Find the subsystem certificate nickname in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

$ grep internaldb.ldapauth.clientCertNickname /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca

Use the certificate to authenticate against the DS:

$ grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > /var/lib/pki/pki-tomcat/alias/password.txt
$ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/alias/password.txt
$ chmod 400 /var/lib/pki/pki-tomcat/alias/password.txt
$ LDAPTLS_CACERTDIR=/var/lib/pki/pki-tomcat/alias \
    LDAPTLS_CERT="subsystemCert cert-pki-ca" \
    LDAPTLS_KEY=/var/lib/pki/pki-tomcat/alias/password.txt \
    ldapsearch -H ldaps://$HOSTNAME:636 -b "o=ipaca" -s one "(objectClass=*)"

Note: The ldapsearch command should not contain -x, -D, or -w options.

The search operation should return these entries:

dn: ou=people,o=ipaca

dn: ou=groups,o=ipaca

dn: ou=requests,o=ipaca

dn: cn=crossCerts,o=ipaca

dn: ou=ca,o=ipaca

dn: ou=replica,o=ipaca

dn: ou=ranges,o=ipaca

dn: cn=aclResources,o=ipaca

dn: ou=Security Domain,o=ipaca

Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access:

[21/Sep/2016:21:53:42.063195010 +0200] conn=49 TLS1.2 256-bit AES-GCM; client CN=CA Subsystem,O=EXAMPLE.COM; issuer CN=Certificate Authority,O=EXAMPLE.COM
[21/Sep/2016:21:53:42.066776737 +0200] conn=49 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca

The client certificate should be mapped to "pkidbuser".

See Also