PKI Server CA Authentication Plugin CLI

From Dogtag
Jump to: navigation, search

Overview

From Dogtag 10.x pki console is going to be deprecated. This console have may features but equivalent CLI's are not present. Authentication plug-ins helps, to provide connectivity between dogtag instances to ldap database, files, etc.

This cli pki-server ca-auth-plugin will provide interface for admin to configure authentication plugins.

Register Authentication plugin manager

# pki-server ca-auth-manager-add -t SysAuth -c org.class.example.com.SystemAuth -i topology-02-CA
Auth plugin registered.

Remove Authentication plugin manager

# pki-server ca-auth-manager-del SysAuth -i topology-02-CA
Auth plugin manager SysAuth deleted.


Find Authentication plugin manager

# pki-server ca-auth-manager-find -i topology-02-CA
  Configured Plugin Managers.
  ===========================
   Manager ID: FlatFileAuth
   Manager Class: com.netscape.cms.authentication.FlatFileAuth

   Manager ID: CMCUserSignedAuth
   Manager Class: com.netscape.cms.authentication.CMCUserSignedAuth

   Manager ID: UidPwdGroupDirAuth
   Manager Class: com.netscape.cms.authentication.UidPwdGroupDirAuthentication

   Manager ID: UserPwdDirAuth
   Manager Class: com.netscape.cms.authentication.UserPwdDirAuthentication

   Manager ID: SharedToken
   Manager Class: com.netscape.cms.authentication.SharedSecret

   Manager ID: SessionAuthentication
   Manager Class: com.netscape.cms.authentication.SessionAuthentication

   Manager ID: UidPwdPinDirAuth
   Manager Class: com.netscape.cms.authentication.UidPwdPinDirAuthentication

   Manager ID: AgentCertAuth
   Manager Class: com.netscape.cms.authentication.AgentCertAuthentication

   Manager ID: TokenAuth
   Manager Class: com.netscape.cms.authentication.TokenAuthentication

   Manager ID: UidPwdDirAuth
   Manager Class: com.netscape.cms.authentication.UidPwdDirAuthentication

   Manager ID: SSLclientCertAuth
   Manager Class: com.netscape.cms.authentication.SSLclientCertAuthentication

   Manager ID: CMCAuth
   Manager Class: com.netscape.cms.authentication.CMCAuth

Add Authentication plugin instance

Create instance of SharedToken authentication plugin:

# pki-server ca-auth-plugin-add -i topology-02-CA \
    -n sharedTok2 \
    -t SharedToken \
    -h pki1.example.com \
    -p 3389 \
    --dnPattern "UID=\$attr.uid" \
    --stringAttribute mail \
    --byteAttributes mail \
    --ldapBaseDN "o=topology-02-CA-CA" \
    --bindDN "cn=Directory Manager" \
    --password SECret.123 \
    --authType basicAuth \
    --attr "mail2"
Added plugin sharedTok2

Create instance of UidPwdDirAuth authentication plugin:

# pki-server ca-auth-plugin-add -i topology-02-CA \
    -n uidpwd2 \
    -t UidPwdDirAuth \
    -h pki1.example.com \
    -p 3389 \
    --dnPattern "UID=\$attr.uid" \
    --stringAttribute mail \
    --byteAttributes mail \
    --ldapBaseDN "o=topology-02-CA-CA" \
    --ldapAttrName "mail" \
    --ldapAttrDesc "mail"
Added plugin uidpwd2

Add authentication plugin using file. (scope future)

Show Authentication plugin instance

# pki-server ca-auth-plugin-show uidpwd2 -i topology-02-CA
   Instance Name: uidpwd2
   Plugin Name: UidPwdDirAuth
   DN Pattern: UID=$attr.uid
   Hostname: pki1.example.com
   Port: 3389
   Secure Connection: false
   Version: 3
   Base DN: o=topology-02-CA-CA
   LDAP Bytes Attributes: mail
   LDAP String Attributes: mail


If you want to store plugin in to the file.

 # pki-server ca-auth-plugin-show uidpwd2 -i topology-02-CA -o /tmp/plug.cfg
   Instance Name: uidpwd2
   Plugin Name: UidPwdDirAuth
   DN Pattern: UID=$attr.uid
   Hostname: pki1.example.com
   Port: 3389
   Secure Connection: false
   Version: 3
   Base DN: o=topology-02-CA-CA
   LDAP Bytes Attributes: mail
   LDAP String Attributes: mail

   Plugin stored in /tmp/plug.cfg.

Find Authentication Plugin instances

There are some plugins which are by default present, you can use following cli to view them

[root@pki1 ~]# pki-server ca-auth-plugin-find -i topology-02-CA 
 Available plugins:
 ==================
 Configured Plugin instances.
 ============================
   Instance Name: AgentCertAuth
   Plugin Name: AgentCertAuth
   Plugin Group: Certificate Manager Agents

   Instance Name: CMCUserSignedAuth
   Plugin Name: CMCUserSignedAuth

   Instance Name: SSLclientCertAuth
   Plugin Name: SSLclientCertAuth

   Instance Name: SessionAuthentication
   Plugin Name: SessionAuthentication

   Instance Name: TokenAuth
   Plugin Name: TokenAuth

   Instance Name: flatFileAuth
   Plugin Name: FlatFileAuth
   Authentication Attributes: PWD
   Defer On Failure: true
   File name: /var/lib/pki/topology-02-CA/conf/ca/flatfile.txt
   Key Attributes: UID

   Instance Name: raCertAuth
   Plugin Name: AgentCertAuth
   Plugin Group: Registration Manager Agents

   Instance Name: sharedTok2
   Plugin Name: SharedToken
   DN Pattern: UID=$attr.uid
   Bind DN: cn=Directory Manager
   Bind PW Prompt: Rule sharedTok2
   Hostname: pki1.example.com
   Port: 3389
   Secure Connection: false
   Version: 3
   Base DN: o=topology-02-CA-CA
   Auth Type: basicAuth
   LDAP Bytes Attributes: mail
   LDAP String Attributes: mail
   Shared Token Attribute: mail2

   Instance Name: uidpwd2
   Plugin Name: UidPwdDirAuth
   DN Pattern: UID=$attr.uid
   Hostname: pki1.example.com
   Port: 3389
   Secure Connection: false
   Version: 3
   Base DN: o=topology-02-CA-CA
   LDAP Bytes Attributes: mail
   LDAP String Attributes: mail

Remove Authentication plugin instance

# pki-server ca-auth-plugin-del -i topology-02-CA uidpwd2
Plugin uidpwd2 removed from instance topology-02-CA

Authentication plugin templates

Store templates in to the file and use them to add auth plugin instance (scope future)

See Also