On Tue, 2010-01-05 at 00:34 +0100, Marco Carcano wrote: > Hi > > I'm writing an installation script that and at the end of the work "I > hope" may setup a CentOS 5.x Linux to act as a Windows 2003 SmallBusiness. > The project name is ECK, you can find it on sourceforge. Altought it is > an alpha, I succesfully installed several servers with it (and they > could even work!). > For now it can succesfully setup in less than 30 minutes ntpd, dhcpd > with ddns updates, dnd, openldap kerberized, MIT kerberos, Samba as a > PDC who can also work in Kerberos realm (is my bijou!), postfix, > dovecot, roundcube and egroupware, ... every package has been tightly > integrated within openLDAP (for example Roudcube Addressbook with the > egroupware one, you can define mail enabled group (real system group you > can use to send mail to members - like Microsoft does) > > and now why I'm writing to this list: ... I'd like to add OpenCA! I > compiled an RPM and add it to ECK repository. I can install OpenCA an > start it without particular troubles - altough I had to patch one file - > I don't know why without the changes I did it often failed to start - if > someone of the developers is interested abut this I could send him a > detailed log and the "patch" > > It seem to work quite well, but I'm struggling with LDAP integration, > ... so is there an OpenCA LDAP integration guru out there who want to > help me? > > In ECK I designed a really easy LDAP structure (in our example we use > the DC style dc=acme,dc=local), so that LDAP services go under > > ou=Services,dc=acme,dc=local > > as about OpenCA, I'd like to put its data under > cn=openca,ou=Certificates,ou=Services,dc=acme,dc=local > > there is also a ou=Users,dc=acme,dc=local and a > ou=Groups,dc=acme,dc=local and a ou=Computer,dc=acme,dc=local - you can > easily guess what goes under these trees > > so that I need someone who can help me to configure OpenCA with LDAP > with dc style. > > any help is appreciated: as soon as OpenCA support will be good I'd like > to add other usefull things, like Freeradius, StrongSWAN, SQUID, Amanda, > ... lots of work, so that your help with openca will be appreciated > > I hope somebody wants to give me an help - and maybe join my project: I > wrote it in such a modular way that it will be even easy enough to > anybody to complete the OpenCA module himself > > Hope to hear somebody of you soon <snip> We are successfully using OpenCA 1.0.2 with DC syntax. I'm afraid I'm under a nasty deadline so I won't have time to streamline this or pretty it up - I'll just expunge sensitive data. Here are notes from our internal documentation. I don't think the patches have been accepted into OpenCA yet so, if you need them, please email me and I'll send them. I have zero experience developing in Perl so they are definitely use at your own risk!
To give context to the below procedure, we use a combined CA/RA, a separate public node, and a common database hosted on a separate database server. There may be some steps that are specific to our environment and not yours. I hope I didn't eliminate anything critical while trying to edit out that which was specific to us. It's not trivial but it works very well for us. I would suggest understanding the principles behind each of the steps so you can adopt it to your environment. Here's the excerpt: Create a /download/OpenCA directory and grant the openca user rights to it: mkdir -p /download/OpenCA chown openca:openca /download/OpenCA Download the openca-base-1.0.2.tar.gz and openca-tools-1.1.0.tar.gz tarballs from http://www.openca.org or from some other source into /download/ cd /download/OpenCA wget http://superb-east.dl.sourceforge.net/sourceforge/openca/openca-tools-1.1.0.tar.gz wget http://superb-east.dl.sourceforge.net/sourceforge/openca/openca-base-1.0.2.tar.gz Become the openca user (su - openca) Untar the tarballs as the openca user tar zvxf openca-t*.tar.gz tar zvxf openca-b*.tar.gz cd /download/OpenCA/openca-tools* ./configure && make clean && make su -c "make install" cd /download/OpenCA/openca-base* We need to patch the source code for some bugs in version 1.0.2. cd src/common/lib/cmds Backup the original versions: mv approveCSR{,.orig} mv viewCRR{,.orig} mv viewCert{,.orig} mv send_email_cert{,.orig} Move these backups to the base directory since they MUST not be installed in the cmds directory even as renamed files: mv *.orig ../../../../ Download the new versions using wget from the following locations: wget http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert wget http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert wget http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR wget http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR We need to patch advanced_csr to allow multiple instances of the same field: cp advanced_csr ../../../../ Copy in the openca_advanced_csr_multiField-1.0.2.patch patch patch -p0 < openca_advanced_csr_multiField-1.0.2.patch rm openca_advanced_csr_multiField-1.0.2.patch Next we need to fix some spelling and grammar in the emails by patching the mails directory: Copy the opencamail-1.0.2.patch to /download/OpenCA/openca-base-1.0.2/src/common/lib/mails/ cd ../mails (i.e., src/common/lib/mails) patch -p1 < opencamail-1.0.2.patch Now we need to patch DBI.pm Copy opencaDBI.pm-1.0.2.patch to /download/OpenCA/openca-base-1.0.2/src/modules/openca-dbi/ cd ../../../modules/openca-dbi cp DBI.pm ../../../ Apply the opencaDBI.pm-1.0.2.patch patch patch -p0 < opencaDBI.pm-1.0.2.patch cd /download/OpenCA/openca-base*/src/common/etc We need to add two lines to the openca script (joe openca.in). At the end of the start case statement, on a new line above the ;; add (without quotes) "touch /var/lock/subsys/openca" and at the end of the stop case statement, on a new line above the ;; add (without quotest) "rm -f /var/lock/subsys/openca". Without the first, the openca script will fail on shutdown. The second is necessary to keep killall from trying to shutdown openca after it has already been shut down. Now we need to configure, make, and install OpenCA: cd /download/OpenCA/openca-base* ./configure --with-openca-user=openca --with-openca-group=openca --with-web-host= . . . . Clear bash history to remove the password entered above (history -c) and exit to become root again To install do: exit (to root) cd /download/OpenCA/openca-base* make install-offline && make install-ra The OpenCA installation routine for the CA/RA does not properly make the symbolic links for downloading the latest CRL and CA cert so we will do this manually. cd /usr/local/OpenCA/www/html/pki/ra mkdir crl mkdir cacert cd crl ln -s ../../../../../var/openca/crypto/crls/cacrl.crl cacrl.crl ln -s ../../../../../var/openca/crypto/crls/cacrl.der cacrl.der ln -s ../../../../../var/openca/crypto/crls/cacrl.pem cacrl.pem ln -s ../../../../../var/openca/crypto/crls/cacrl.txt cacrl.txt cd ../cacert ln -s ../../../../../var/openca/crypto/cacerts/cacert.cer cacert.cer ln -s ../../../../../var/openca/crypto/cacerts/cacert.crt cacert.crt ln -s ../../../../../var/openca/crypto/cacerts/cacert.der cacert.der ln -s ../../../../../var/openca/crypto/cacerts/cacert.pem cacert.pem ln -s ../../../../../var/openca/crypto/cacerts/cacert.txt cacert.txt cd .. chown -R openca:openca c{acert,rl} cd ../ca mkdir crl mkdir cacert cd crl ln -s ../../../../../var/openca/crypto/crls/cacrl.crl cacrl.crl ln -s ../../../../../var/openca/crypto/crls/cacrl.der cacrl.der ln -s ../../../../../var/openca/crypto/crls/cacrl.pem cacrl.pem ln -s ../../../../../var/openca/crypto/crls/cacrl.txt cacrl.txt cd ../cacert ln -s ../../../../../var/openca/crypto/cacerts/cacert.cer cacert.cer ln -s ../../../../../var/openca/crypto/cacerts/cacert.crt cacert.crt ln -s ../../../../../var/openca/crypto/cacerts/cacert.der cacert.der ln -s ../../../../../var/openca/crypto/cacerts/cacert.pem cacert.pem ln -s ../../../../../var/openca/crypto/cacerts/cacert.txt cacert.txt cd .. chown -R openca:openca c{acert,rl} Now we must edit several configuration files and templates. cd /usr/local/OpenCA/etc/openca/access_control There are four .xml.template files named batch, ca, ra, and node. Ultimately, we will use LDAP for authentication but we need the PKI in place before we build the LDAP server. Thus we will temporarily use passwords. Edit each the same way as below: Find the sha1 digest for the medium security password with the following command: openca-digest -dgst sha1 <thepassword> Copy the digest and then clear the history file (history -c) so the password is not available. Edit each of the templates by going to the user section under the internal database section and changing the sha1 digest from @default_web_password@ to the digest from above. cd ../openssl Edit openssl.cnf.template by setting default_crl_days = 90 and default_md = sha1 (this is in two locations). cd openssl (sic.) Edit all the server and Operator (e.g., CA_Operator.conf.template) conf.template files by setting default_days = 760 and default_md = sha1. Edit the user files by setting default_days = 395 and default_md = sha1. Edit the Sub-CA and Cross_CA templates to set default_md=sha1 cd ../../servers (etc/openca/servers) Edit ca.conf.template: Set the RegistrationAuthority parameter to "@ca_organization@" Change DN_TYPE_BASIC_BASE from "O" "C" to "DC" "DC" Change DN_TYPE_BASIC_ELEMENTS from "emailAddress" "CN" "OU" to "emailAddress" "CN" "OU" "OU" "O" "O" Set the DN_TYPE_BASIC_ELEMENT_1_REQUIRED parameter to "NO" (include quotation marks) Set the DN_TYPE_BASIC_ELEMENT_3 parameter to "Organizational Unit 1" (this is the label used on the web page for the first OU) Set the DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH parameter to 2 set the DN_TYPE_BASIC_ELEMENT_3_SELECT parameter to "OfficeUsers" . . . . "WebServers" etc. Add the following elements after the DN_TYPE_BASIC_ELEMENT_3 section: DN_TYPE_BASIC_ELEMENT_4 "Organizational Unit 2" DN_TYPE_BASIC_ELEMENT_4_SELECT "OfficeUsers" . . . . "WebServers" etc DN_TYPE_BASIC_ELEMENT_4_MINIMUM_LENGTH 2 DN_TYPE_BASIC_ELEMENT_4_REQUIRED "NO" DN_TYPE_BASIC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_BASIC_ELEMENT_5 "Organization 1" DN_TYPE_BASIC_ELEMENT_5_SELECT "name1" "name2" etc DN_TYPE_BASIC_ELEMENT_5_MINIMUM_LENGTH 2 DN_TYPE_BASIC_ELEMENT_5_REQUIRED "NO" DN_TYPE_BASIC_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_BASIC_ELEMENT_6 "Organization 2" DN_TYPE_BASIC_ELEMENT_6_SELECT "name1" "name2" "name3" etc DN_TYPE_BASIC_ELEMENT_6_MINIMUM_LENGTH 2 DN_TYPE_BASIC_ELEMENT_6_REQUIRED "NO" DN_TYPE_BASIC_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS" Save the changes Edit ra.conf.template: Set the RegistrationAuthority parameter to "@ca_organization@" Change DN_TYPE_SPKAC_BASE from "O" "C" to "DC" "DC" Change DN_TYPE_SPKAC_ELEMENTS from "emailAddress" "CN" "OU" to "emailAddress" "CN" "OU" "OU" "O" "O" Set the DN_TYPE_SPKAC_ELEMENT_1_REQUIRED parameter to "NO" (include quotation marks) Set the DN_TYPE_SPKAC_ELEMENT_3 parameter to "Organizational Unit 1" (this is the label used on the web page for the first OU) Set the DN_TYPE_SPKAC_ELEMENT_3_MINIMUM_LENGTH parameter to 2 set the DN_TYPE_SPKAC_ELEMENT_3_SELECT parameter to "OfficeUsers" . . . ."WebServers" etc Add the following elements after the DN_TYPE_BASIC_ELEMENT_3 section: DN_TYPE_SPKAC_ELEMENT_4 "Organizational Unit 2" DN_TYPE_SPKAC_ELEMENT_4_SELECT "OfficeUsers" . . . . "WebServers" etc DN_TYPE_SPKAC_ELEMENT_4_MINIMUM_LENGTH 2 DN_TYPE_SPKAC_ELEMENT_4_REQUIRED "NO" DN_TYPE_SPKAC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_SPKAC_ELEMENT_5 "Organization 1" DN_TYPE_SPKAC_ELEMENT_5_SELECT "name1" "name2" etc DN_TYPE_SPKAC_ELEMENT_5_MINIMUM_LENGTH 2 DN_TYPE_SPKAC_ELEMENT_5_REQUIRED "NO" DN_TYPE_SPKAC_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_SPKAC_ELEMENT_6 "Organization 2" DN_TYPE_SPKAC_ELEMENT_6_SELECT "name1" "ame2" "name3" etc DN_TYPE_SPKAC_ELEMENT_6_MINIMUM_LENGTH 2 DN_TYPE_SPKAC_ELEMENT_6_REQUIRED "NO" DN_TYPE_SPKAC_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS" Change DN_TYPE_IE_BASE from "O" "C" to "DC" "DC" Change DN_TYPE_IE_ELEMENTS from "emailAddress" "CN" "OU" to "emailAddress" "CN" "OU" "OU" "O" "O" Set the DN_TYPE_IE_ELEMENT_1_REQUIRED parameter to "NO" (include quotation marks) Set the DN_TYPE_IE_ELEMENT_3 parameter to "Organizational Unit 1" (this is the label used on the web page for the first OU) Set the DN_TYPE_IE_ELEMENT_3_MINIMUM_LENGTH parameter to 2 set the DN_TYPE_IE_ELEMENT_3_SELECT parameter to "OfficeUsers" . . . "WebServers" etc Add the following elements after the DN_TYPE_IE_ELEMENT_3 section: DN_TYPE_IE_ELEMENT_4 "Organizational Unit 2" DN_TYPE_IE_ELEMENT_4_SELECT "OfficeUsers" . . . "WebServers" etc DN_TYPE_IE_ELEMENT_4_MINIMUM_LENGTH 2 DN_TYPE_IE_ELEMENT_4_REQUIRED "NO" DN_TYPE_IE_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_IE_ELEMENT_5 "Organization 1" DN_TYPE_IE_ELEMENT_5_SELECT "name1" "name2" etc DN_TYPE_IE_ELEMENT_5_MINIMUM_LENGTH 2 DN_TYPE_IE_ELEMENT_5_REQUIRED "NO" DN_TYPE_IE_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_IE_ELEMENT_6 "Organization 2" DN_TYPE_IE_ELEMENT_6_SELECT "name1" "name2" "name3" etc DN_TYPE_IE_ELEMENT_6_MINIMUM_LENGTH 2 DN_TYPE_IE_ELEMENT_6_REQUIRED "NO" DN_TYPE_IE_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS" Set warnuser to no Change the WARN_EXPIRING_DAYS parameter from 31 to 62 Set SERVICE_MAIL_ACCOUNT to some...@mycompany.com Save the changes Edit node.conf.template: Set warnuser to no cd ../rbac (etc/openca/rbac) Edit roles.xml by commenting out the VPN User line as there is no definition for a VPN User in 1.0.2 (xml comments are between <!-- and -->) cd .. (etc/openca) Edit auth_browser_req.xml.template: In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change minlen from 3 to 2. Edit browser_req.xml.template: In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change minlen from 3 to 2. In the User Data section, Basic Information Section: Set the required tag of the First Name and Last Name fields to "NO" Set the User ID fields to have required as "YES" and minlength as "1" In the Certificate Data Section under basedn, comment out all the rdn elements (xml comments are between <!-- and -->) In the dn section under the cn input, change the value from $ADDITIONAL_ATTRIBUTE_FIRSTNAME $ADDITIONAL_ATTRIBUTE_LASTNAME to $ADDITIONAL_ATTRIBUTE_UID and change the minlength to "2". Under the ou input, use the following values instead of the defaults: <value>OfficeUsers</value> . . . . <value>WebServers</value> etc and change the minlength to 2 , the name to ou_1, the label to Certificate Group 1 and add <valueType>OU</valueType> at the end. Add the following elements after the ou element and within the dn tags: <input> <name>ou_2</name> <label>Certificate Group 2</label> <type>select</type> <charset>UTF8_MIXED</charset> <value></value> <value>OfficeUsers</value> . . . . <value>WebServers</value> etc <minlen>0</minlen> <required>NO</required> <valueType>OU</valueType> </input> <input> <name>o_1</name> <label>Organization 1</label> <type>select</type> <charset>UTF8_MIXED</charset> <value></value> <value>@ca_organization@</value> <value>name1</value> <minlen>0</minlen> <required>NO</required> <valueType>O</valueType> </input> <input> <name>o_2</name> <label>Organization 2</label> <type>select</type> <charset>UTF8_MIXED</charset> <value></value> <value>name1</value> <value>name2</value> <value>name3</value> <minlen>0</minlen> <required>NO</required> <valueType>O</valueType> </input> <input> <name>C</name> <label>Country</label> <type>select</type> <charset>UTF8_MIXED</charset> <value></value> <value>@ca_country@</value> <value>GB</value> <minlen>0</minlen> <required>NO</required> </input> <input> <name>dc_1</name> <label>Domain Component</label> <type>select</type> <charset>UTF8_MIXED</charset> <value>mycompany</value> <minlen>0</minlen> <required>NO</required> <valueType>DC</valueType> </input> <input> <name>dc_2</name> <label>Domain Component</label> <type>select</type> <charset>UTF8_MIXED</charset> <value>com</value> <minlen>0</minlen> <required>NO</required> <valueType>DC</valueType> </input> In the subjectAltNames section under Advanced Features immediately after the OTHER_NAME_1 stanza, add the following four stanzas: <input> <name>DNS_1</name> <label>Name 1</label> <type>textfield</type> <charset>UTF8_MIXED</charset> <value>$ADDITIONAL_ATTRIBUTE_UID</value> <minlen>0</minlen> <required>NO</required> <valueType>DNS</valueType> </input> <input> <name>DNS_2</name> <label>Name 2</label> <type>textfield</type> <charset>UTF8_MIXED</charset> <minlen>0</minlen> <required>NO</required> <valueType>DNS</valueType> </input> <input> <name>DNS_3</name> <label>Name 3</label> <type>textfield</type> <charset>UTF8_MIXED</charset> <minlen>0</minlen> <required>NO</required> <valueType>DNS</valueType> </input> <input> <name>IP</name> <label>IP Address</label> <type>textfield</type> <charset>IPV4_ADDRESS</charset> <minlen>7</minlen> <required>NO</required> <valueType>IP</valueType> </input> Edit config.xml as follows (it is important we modify config.xml last; configure_etc.sh compares the time stamps and will not update files if the templates are newer than config.xml): typical configuration settings . . . . You will need to follow a similar procedure for setting up the public node. To save having to redo all the source code patching, you can clean the source code on the CA and then copy it to the public node but you'll still need to edit the configuration files as above. Hope this helps - John Oh, I forgot how to set up the LDAP authentication: cd /usr/local/OpenCA/etc/openca/access_control There are four .xml.template files named batch, ca, ra, and node. Edit each the same way as below: Comment out all the internal database information including the password information. XML comments are like HTML comments, i.e., everything between <!-- and --> Create an LDAP section under the login section, i.e., at the same level in the hierarchy as the internal database section, with the following contents: <database>ldap</database> <ldapdata> <host>pdc</host> <port>636</port> <base>dc=mycompany,dc=com</base> <binddn></binddn> <!-- None needed for anonymous access --> <bindpw>noauth</bindpw> <!-- Must have some value even for anonymous access --> <usetls>yes</usetls> <cacertpath>/etc/pki/CA/certs/</cacertpath> <!-- path to the LDAP servers's CA cert --> <searchattr>uid</searchattr> <!-- the attribute which corresponds to the value used by the user to login --> <ldapdefaultauthmeth>bind</ldapdefaultauthmeth> </ldapdata> <passwd> <roleattribute>uid</roleattribute> <!-- what LDAP attribute to use to determine the user's role --> <rolemapping> <roleattributevalue>operator</roleattributevalue> <role>RA Operator</role> </rolemapping> </passwd> ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
