I was using RBAC. Now I have a different problem:
I would like to have different virtual servers (http://ra.pki, http://node.pki, http://pub.pki). But Apache doesn't allow for more than one web server certificate with virtual hosts, so I had to go back to the "usual" configuration.
PS - What is the state of openca.0.9.2 ? Is it stable enough for production?
Michael Bell wrote:
Nuno Miguel Neves wrote:
I already saw the example for trying to authenticate users using their certificates.
However, instead of using the common name, I would like to use the role of the certificate : CA Operators can access some things, RA Operators some other, Users can not, etc...
How is that done? Can the Role be joined to the DN? How?
The most important question is which version do you use?
0.9.1
-----
Add the role manually to the subject and then filter the certificates after authentication with the Apache and mod_ssl.
0.9.2
-----
Please read the docs. Here is only a short description:
0. go to OPENCADIR/etc/access_control/your_interface.xml
1. activate x509 based login
2. activate map_role
3. activate map_operation (or you have to configure the access permission for every single role)
4. edit OPENCADIR/etc/rbac/acl.xml (add/remove permissions like you need)
I hope this is simple enough.
Michael
--
[EMAIL PROTECTED] Dept. Informatica, Fac. Ciencias,
|\ | |\ | Tel: +351 21 7500528 Univ. Lisboa, Bloco C5, Campo Grande
| \|uno | \|eves Fax: +351 21 7500084 1700 Lisboa, Portugal
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
