Hi John,
I don't think we are talking about the same thing.
I have done what you are talking about to setup authentication on the ra,
ca, ldap interfaces for administration.
What I am referring to is the authenticated browser request link on the
pub interface for users. It uses the datasources specified in
datasources.xml. Unlike, the ldap.xml or config.xml used in the above, it
does not show how to specify the bind credentials (binddn, bindpw, etc).
-----------------------------------------------------------------
DAVID BLAINE, GCIA , CISSP
GDLS-C Lead Information Risk Manager (LIRM)
CSC
6000 E. 17 Mile Rd. Sterling Heights MI 48313
GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 |
dblai...@csc.com | www.csc.com
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
"John A. Sullivan III" <jsulli...@opensourcedevel.com>
01/19/2009 02:37 PM
Please respond to
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>
To
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>
cc
Subject
Re: [Openca-Users] Authenticated browser requests - how to specify
bind credentials
On Mon, 2009-01-19 at 14:15 -0500, David W Blaine wrote:
>
> Hi all,
>
> I have been setting up a datasource in datasources.xml to bounce
> against Windows AD for authentication. How do you specify seperate
> bind credentials or is the bind attempted as the user that is supplied
> on the web form?
<snip>
If I understand the question correctly, I believe the magic is in the
interplay of the binddn, searchattr, and role attribute. Here is an
excerpt from our internal documentation (appropriately adapted):
However, it appears we can only use one access database at a time so, if
we want to use LDAP, comment out all the internal database information
including the password information. For LDAP authentication, we need to
use OUs to organize users as OpenCA does not properly use fedora ds
roles and groups. Thus, the LDAP section of the access_control templates
should look something like this:
<database>ldap</database>
<ldapdata>
<host>192.168.xxx.23</host>
<port>389</port>
<base>ou=Internal,dc=mycompany,dc=com</base>
<binddn>uid=dsearcher,ou=internal,dc=mycompany,dc=com</binddn> <!-- the
fixed openca user who will query LDAP for the credentials of the user
logging in -->
<bindpw>password</bindpw>
<usetls>yes</usetls>
<cacertpath>/etc/pki/CA/certs/</cacertpath> <!-- path to the LDAP
servers's CA cert -->
<searchattr>uid</searchattr> <!-- the attribute which corresponds to the
value used by the login user to login -->
<ldapdefaultauthmeth>bind</ldapdefaultauthmeth>
</ldapdata>
<passwd>
<roleattribute>ou</roleattribute> <!-- what LDAP attribute to use to
determine the user's role -->
<rolemapping>
<roleattributevalue>ou=pki_admins,ou=internal,dc=mycompany,dc=com</roleattributevalue>
<role>CA Operator</role>
</rolemapping>
</passwd>
Since any access_control templates and files contain the clear text
password for the LDAP searching user, they should be readable only to
the user however both openca and apache need access. Thus we change
permissions (chmod 640 *) and change group ownership (chgrp apache *).
To explain the documentation, the user authenticates to AD (by the way,
I haven't done this with AD). I believe AD is then queried for the
<roleattribute> associated with the user's <searchattr>. It then takes
the value of that roleattribute and compares it to <roleattributevalue>
and sees which <role> is mapped to that attribute value. Thus, anyone
with a valid ID and password in AD can login into OpenCA but only those
who have roleattributes which map to OpenCA roles can actually do
anything.
Please understand this is my guess at what is going on. I have not
analyzed it carefully and have not looked at the code. Hope this helps
- John
--
John A. Sullivan III
Open Source Development Corporation
Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
