On Mon, Oct 25, 2021 at 10:09 AM Endi Dewata <[email protected]> wrote:
> On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < > [email protected]> wrote: > >> Tomasz Torcz via FreeIPA-users wrote: >> >> ACME also has a realm configuration: >> >> >> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md >> >> >> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc >> >> so there could be an issue there. >> > >> > This look to be configured, but I found a possible discrepancy in >> "password": >> > >> > $ cat /etc/pki/pki-tomcat/acme/realm.conf >> > # VERSION 2 - DO NOT REMOVE THIS LINE >> > authType=BasicAuth >> > class=org.dogtagpki.acme.realm.DSRealm >> > groupsDN=ou=groups,o=ipaca >> > usersDN=ou=people,o=ipaca >> > url=ldaps://kaitain.pipebreaker.pl:636 >> > configFile=/etc/pki/pki-tomcat/ca/CS.cfg >> > username=acme-kaitain.pipebreaker.pl >> > password=<40-character long text string> >> > >> > While userPassword:: field of uid=acme-kaitain.pipebreaker.pl >> ,ou=people,o=ipaca >> > contains very long base64 string, which decodes to 447 string starting >> > with {PBKDF2_SHA256}. How to make sure it's corresponds to the same >> > value? >> > >> >> This is the password for the username in the file. It is basically >> unused by IPA as IPA uses client auth with the RA agent certificate. >> >> rob >> > > Looks like the realm is configured with BasicAuth, so it should be > using bindDN and bindPassword params as described here: > > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc > > If you want to use SslClientAuth, I think you would need to > specify the nickname param: > > https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/realm/LDAPRealm.java#L112 > > https://github.com/dogtagpki/pki/blob/master/base/server/src/main/java/com/netscape/cmscore/ldapconn/LdapAuthInfo.java#L36 > > https://github.com/dogtagpki/pki/wiki/Configuring-Client-Certificate-Authentication-to-Internal-Database > > But IIRC in IPA case it's configured to reuse the internaldb connection > defined in CS.cfg so these params don't need to be specified again. > Is there a working IPA instance with ACME that can be compared > against? > Yeah, the realm config has a configFile param, so it will ignore the other params above, and use the params from CS.cfg instead: https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/realm/LDAPRealm.java#L61 https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/realm/LDAPRealm.java#L147-L153 -- Endi S. Dewata
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
