I miss my patch that fixes LOA and its policy extensions I supplied one year before:
http://www.mail-archive.com/openca-de...@lists.sourceforge.net/msg02984.html Does this mean that it hasn't been committed yet?? John A. Sullivan III schrieb: > On Tue, 2010-01-05 at 00:34 +0100, Marco Carcano wrote: > >> Hi >> >> I'm writing an installation script that and at the end of the work "I >> hope" may setup a CentOS 5.x Linux to act as a Windows 2003 SmallBusiness. >> The project name is ECK, you can find it on sourceforge. Altought it is >> an alpha, I succesfully installed several servers with it (and they >> could even work!). >> For now it can succesfully setup in less than 30 minutes ntpd, dhcpd >> with ddns updates, dnd, openldap kerberized, MIT kerberos, Samba as a >> PDC who can also work in Kerberos realm (is my bijou!), postfix, >> dovecot, roundcube and egroupware, ... every package has been tightly >> integrated within openLDAP (for example Roudcube Addressbook with the >> egroupware one, you can define mail enabled group (real system group you >> can use to send mail to members - like Microsoft does) >> >> and now why I'm writing to this list: ... I'd like to add OpenCA! I >> compiled an RPM and add it to ECK repository. I can install OpenCA an >> start it without particular troubles - altough I had to patch one file - >> I don't know why without the changes I did it often failed to start - if >> someone of the developers is interested abut this I could send him a >> detailed log and the "patch" >> >> It seem to work quite well, but I'm struggling with LDAP integration, >> ... so is there an OpenCA LDAP integration guru out there who want to >> help me? >> >> In ECK I designed a really easy LDAP structure (in our example we use >> the DC style dc=acme,dc=local), so that LDAP services go under >> >> ou=Services,dc=acme,dc=local >> >> as about OpenCA, I'd like to put its data under >> cn=openca,ou=Certificates,ou=Services,dc=acme,dc=local >> >> there is also a ou=Users,dc=acme,dc=local and a >> ou=Groups,dc=acme,dc=local and a ou=Computer,dc=acme,dc=local - you can >> easily guess what goes under these trees >> >> so that I need someone who can help me to configure OpenCA with LDAP >> with dc style. >> >> any help is appreciated: as soon as OpenCA support will be good I'd like >> to add other usefull things, like Freeradius, StrongSWAN, SQUID, Amanda, >> ... lots of work, so that your help with openca will be appreciated >> >> I hope somebody wants to give me an help - and maybe join my project: I >> wrote it in such a modular way that it will be even easy enough to >> anybody to complete the OpenCA module himself >> >> Hope to hear somebody of you soon >> > <snip> > We are successfully using OpenCA 1.0.2 with DC syntax. I'm afraid I'm > under a nasty deadline so I won't have time to streamline this or pretty > it up - I'll just expunge sensitive data. Here are notes from our > internal documentation. I don't think the patches have been accepted > into OpenCA yet so, if you need them, please email me and I'll send > them. I have zero experience developing in Perl so they are definitely > use at your own risk! > > To give context to the below procedure, we use a combined CA/RA, a > separate public node, and a common database hosted on a separate > database server. There may be some steps that are specific to our > environment and not yours. I hope I didn't eliminate anything critical > while trying to edit out that which was specific to us. It's not > trivial but it works very well for us. I would suggest understanding > the principles behind each of the steps so you can adopt it to your > environment. Here's the excerpt: > > > Create a /download/OpenCA directory and grant the openca user rights to > it: > mkdir -p /download/OpenCA > chown openca:openca /download/OpenCA > Download the openca-base-1.0.2.tar.gz and openca-tools-1.1.0.tar.gz > tarballs from http://www.openca.org or from some other source > into /download/ > cd /download/OpenCA > wget > http://superb-east.dl.sourceforge.net/sourceforge/openca/openca-tools-1.1.0.tar.gz > wget > http://superb-east.dl.sourceforge.net/sourceforge/openca/openca-base-1.0.2.tar.gz > Become the openca user (su - openca) > Untar the tarballs as the openca user > tar zvxf openca-t*.tar.gz > tar zvxf openca-b*.tar.gz > cd /download/OpenCA/openca-tools* > ./configure && make clean && make > su -c "make install" > cd /download/OpenCA/openca-base* > We need to patch the source code for some bugs in version 1.0.2. > cd src/common/lib/cmds > Backup the original versions: > mv approveCSR{,.orig} > mv viewCRR{,.orig} > mv viewCert{,.orig} > mv send_email_cert{,.orig} > Move these backups to the base directory since they MUST not be > installed in the cmds directory even as renamed files: > mv *.orig ../../../../ > Download the new versions using wget from the following locations: > wget > http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert > wget > http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert > wget > http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR > wget > http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR > We need to patch advanced_csr to allow multiple instances of the same > field: > cp advanced_csr ../../../../ > Copy in the openca_advanced_csr_multiField-1.0.2.patch patch > patch -p0 < openca_advanced_csr_multiField-1.0.2.patch > rm openca_advanced_csr_multiField-1.0.2.patch > Next we need to fix some spelling and grammar in the emails by patching > the mails directory: > Copy the opencamail-1.0.2.patch > to /download/OpenCA/openca-base-1.0.2/src/common/lib/mails/ > cd ../mails (i.e., src/common/lib/mails) > patch -p1 < opencamail-1.0.2.patch > Now we need to patch DBI.pm > Copy opencaDBI.pm-1.0.2.patch > to /download/OpenCA/openca-base-1.0.2/src/modules/openca-dbi/ > cd ../../../modules/openca-dbi > cp DBI.pm ../../../ > Apply the opencaDBI.pm-1.0.2.patch patch > patch -p0 < opencaDBI.pm-1.0.2.patch > cd /download/OpenCA/openca-base*/src/common/etc > We need to add two lines to the openca script (joe openca.in). At the > end of the start case statement, on a new line above the ;; add (without > quotes) "touch /var/lock/subsys/openca" and at the end of the stop case > statement, on a new line above the ;; add (without quotest) "rm > -f /var/lock/subsys/openca". Without the first, the openca script will > fail on shutdown. The second is necessary to keep killall from trying > to shutdown openca after it has already been shut down. > > Now we need to configure, make, and install OpenCA: > cd /download/OpenCA/openca-base* > ./configure --with-openca-user=openca --with-openca-group=openca > --with-web-host= . . . . > > Clear bash history to remove the password entered above (history -c) and > exit to become root again > To install do: > exit (to root) > cd /download/OpenCA/openca-base* > make install-offline && make install-ra > > The OpenCA installation routine for the CA/RA does not properly make the > symbolic links for downloading the latest CRL and CA cert so we will do > this manually. > cd /usr/local/OpenCA/www/html/pki/ra > mkdir crl > mkdir cacert > cd crl > ln -s ../../../../../var/openca/crypto/crls/cacrl.crl cacrl.crl > ln -s ../../../../../var/openca/crypto/crls/cacrl.der cacrl.der > ln -s ../../../../../var/openca/crypto/crls/cacrl.pem cacrl.pem > ln -s ../../../../../var/openca/crypto/crls/cacrl.txt cacrl.txt > cd ../cacert > ln -s ../../../../../var/openca/crypto/cacerts/cacert.cer cacert.cer > ln -s ../../../../../var/openca/crypto/cacerts/cacert.crt cacert.crt > ln -s ../../../../../var/openca/crypto/cacerts/cacert.der cacert.der > ln -s ../../../../../var/openca/crypto/cacerts/cacert.pem cacert.pem > ln -s ../../../../../var/openca/crypto/cacerts/cacert.txt cacert.txt > cd .. > chown -R openca:openca c{acert,rl} > cd ../ca > mkdir crl > mkdir cacert > cd crl > ln -s ../../../../../var/openca/crypto/crls/cacrl.crl cacrl.crl > ln -s ../../../../../var/openca/crypto/crls/cacrl.der cacrl.der > ln -s ../../../../../var/openca/crypto/crls/cacrl.pem cacrl.pem > ln -s ../../../../../var/openca/crypto/crls/cacrl.txt cacrl.txt > cd ../cacert > ln -s ../../../../../var/openca/crypto/cacerts/cacert.cer cacert.cer > ln -s ../../../../../var/openca/crypto/cacerts/cacert.crt cacert.crt > ln -s ../../../../../var/openca/crypto/cacerts/cacert.der cacert.der > ln -s ../../../../../var/openca/crypto/cacerts/cacert.pem cacert.pem > ln -s ../../../../../var/openca/crypto/cacerts/cacert.txt cacert.txt > cd .. > chown -R openca:openca c{acert,rl} > > Now we must edit several configuration files and templates. > > cd /usr/local/OpenCA/etc/openca/access_control > There are four .xml.template files named batch, ca, ra, and node. > Ultimately, we will use LDAP for authentication but we need the PKI in > place before we build the LDAP server. Thus we will temporarily use > passwords. Edit each the same way as below: > Find the sha1 digest for the medium security password with the following > command: > openca-digest -dgst sha1 <thepassword> > Copy the digest and then clear the history file (history -c) so the > password is not available. > Edit each of the templates by going to the user section under the > internal database section and changing the sha1 digest from > @default_web_password@ to the digest from above. > > cd ../openssl > Edit openssl.cnf.template by setting default_crl_days = 90 and > default_md = sha1 (this is in two locations). > > cd openssl (sic.) > Edit all the server and Operator (e.g., CA_Operator.conf.template) > conf.template files by setting default_days = 760 and default_md = sha1. > Edit the user files by setting default_days = 395 and default_md = sha1. > Edit the Sub-CA and Cross_CA templates to set default_md=sha1 > > cd ../../servers (etc/openca/servers) > Edit ca.conf.template: > Set the RegistrationAuthority parameter to "@ca_organization@" > Change DN_TYPE_BASIC_BASE from "O" "C" to "DC" "DC" > Change DN_TYPE_BASIC_ELEMENTS from "emailAddress" "CN" "OU" to > "emailAddress" "CN" "OU" "OU" "O" "O" > Set the DN_TYPE_BASIC_ELEMENT_1_REQUIRED parameter to "NO" (include > quotation marks) > Set the DN_TYPE_BASIC_ELEMENT_3 parameter to "Organizational Unit > 1" (this is the label used on the web page for the first OU) > Set the DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH parameter to 2 > set the DN_TYPE_BASIC_ELEMENT_3_SELECT parameter to > "OfficeUsers" . . . . "WebServers" etc. > Add the following elements after the DN_TYPE_BASIC_ELEMENT_3 section: > DN_TYPE_BASIC_ELEMENT_4 "Organizational Unit 2" > DN_TYPE_BASIC_ELEMENT_4_SELECT "OfficeUsers" . . . . > "WebServers" etc > DN_TYPE_BASIC_ELEMENT_4_MINIMUM_LENGTH 2 > DN_TYPE_BASIC_ELEMENT_4_REQUIRED "NO" > DN_TYPE_BASIC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_BASIC_ELEMENT_5 "Organization 1" > DN_TYPE_BASIC_ELEMENT_5_SELECT "name1" "name2" etc > DN_TYPE_BASIC_ELEMENT_5_MINIMUM_LENGTH 2 > DN_TYPE_BASIC_ELEMENT_5_REQUIRED "NO" > DN_TYPE_BASIC_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_BASIC_ELEMENT_6 "Organization 2" > DN_TYPE_BASIC_ELEMENT_6_SELECT "name1" "name2" "name3" etc > DN_TYPE_BASIC_ELEMENT_6_MINIMUM_LENGTH 2 > DN_TYPE_BASIC_ELEMENT_6_REQUIRED "NO" > DN_TYPE_BASIC_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS" > Save the changes > > Edit ra.conf.template: > Set the RegistrationAuthority parameter to "@ca_organization@" > Change DN_TYPE_SPKAC_BASE from "O" "C" to "DC" "DC" > Change DN_TYPE_SPKAC_ELEMENTS from "emailAddress" "CN" "OU" to > "emailAddress" "CN" "OU" "OU" "O" "O" > Set the DN_TYPE_SPKAC_ELEMENT_1_REQUIRED parameter to "NO" (include > quotation marks) > Set the DN_TYPE_SPKAC_ELEMENT_3 parameter to "Organizational Unit > 1" (this is the label used on the web page for the first OU) > Set the DN_TYPE_SPKAC_ELEMENT_3_MINIMUM_LENGTH parameter to 2 > set the DN_TYPE_SPKAC_ELEMENT_3_SELECT parameter to > "OfficeUsers" . . . ."WebServers" etc > Add the following elements after the DN_TYPE_BASIC_ELEMENT_3 section: > DN_TYPE_SPKAC_ELEMENT_4 "Organizational Unit 2" > DN_TYPE_SPKAC_ELEMENT_4_SELECT "OfficeUsers" . . . . > "WebServers" etc > DN_TYPE_SPKAC_ELEMENT_4_MINIMUM_LENGTH 2 > DN_TYPE_SPKAC_ELEMENT_4_REQUIRED "NO" > DN_TYPE_SPKAC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_SPKAC_ELEMENT_5 "Organization 1" > DN_TYPE_SPKAC_ELEMENT_5_SELECT "name1" "name2" etc > DN_TYPE_SPKAC_ELEMENT_5_MINIMUM_LENGTH 2 > DN_TYPE_SPKAC_ELEMENT_5_REQUIRED "NO" > DN_TYPE_SPKAC_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_SPKAC_ELEMENT_6 "Organization 2" > DN_TYPE_SPKAC_ELEMENT_6_SELECT "name1" "ame2" "name3" etc > DN_TYPE_SPKAC_ELEMENT_6_MINIMUM_LENGTH 2 > DN_TYPE_SPKAC_ELEMENT_6_REQUIRED "NO" > DN_TYPE_SPKAC_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS" > Change DN_TYPE_IE_BASE from "O" "C" to "DC" "DC" > Change DN_TYPE_IE_ELEMENTS from "emailAddress" "CN" "OU" to > "emailAddress" "CN" "OU" "OU" "O" "O" > Set the DN_TYPE_IE_ELEMENT_1_REQUIRED parameter to "NO" (include > quotation marks) > Set the DN_TYPE_IE_ELEMENT_3 parameter to "Organizational Unit 1" (this > is the label used on the web page for the first OU) > Set the DN_TYPE_IE_ELEMENT_3_MINIMUM_LENGTH parameter to 2 > set the DN_TYPE_IE_ELEMENT_3_SELECT parameter to "OfficeUsers" . . . > "WebServers" etc > Add the following elements after the DN_TYPE_IE_ELEMENT_3 section: > DN_TYPE_IE_ELEMENT_4 "Organizational Unit 2" > DN_TYPE_IE_ELEMENT_4_SELECT "OfficeUsers" . . . "WebServers" > etc > DN_TYPE_IE_ELEMENT_4_MINIMUM_LENGTH 2 > DN_TYPE_IE_ELEMENT_4_REQUIRED "NO" > DN_TYPE_IE_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_IE_ELEMENT_5 "Organization 1" > DN_TYPE_IE_ELEMENT_5_SELECT "name1" "name2" etc > DN_TYPE_IE_ELEMENT_5_MINIMUM_LENGTH 2 > DN_TYPE_IE_ELEMENT_5_REQUIRED "NO" > DN_TYPE_IE_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS" > > DN_TYPE_IE_ELEMENT_6 "Organization 2" > DN_TYPE_IE_ELEMENT_6_SELECT "name1" "name2" "name3" etc > DN_TYPE_IE_ELEMENT_6_MINIMUM_LENGTH 2 > DN_TYPE_IE_ELEMENT_6_REQUIRED "NO" > DN_TYPE_IE_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS" > Set warnuser to no > Change the WARN_EXPIRING_DAYS parameter from 31 to 62 > Set SERVICE_MAIL_ACCOUNT to some...@mycompany.com > Save the changes > > Edit node.conf.template: > Set warnuser to no > > cd ../rbac (etc/openca/rbac) > Edit roles.xml by commenting out the VPN User line as there is no > definition for a VPN User in 1.0.2 (xml comments are between <!-- and > -->) > > cd .. (etc/openca) > Edit auth_browser_req.xml.template: > In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change > minlen from 3 to 2. > > Edit browser_req.xml.template: > In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change > minlen from 3 to 2. > In the User Data section, Basic Information Section: > Set the required tag of the First Name and Last Name fields to "NO" > Set the User ID fields to have required as "YES" and minlength as "1" > In the Certificate Data Section under basedn, comment out all the rdn > elements (xml comments are between <!-- and -->) > In the dn section under the cn input, change the value from > $ADDITIONAL_ATTRIBUTE_FIRSTNAME $ADDITIONAL_ATTRIBUTE_LASTNAME to > $ADDITIONAL_ATTRIBUTE_UID and change the minlength to "2". > Under the ou input, use the following values instead of the defaults: > <value>OfficeUsers</value> > . > . > . > . > <value>WebServers</value> etc > and change the minlength to 2 , the name to ou_1, the label to > Certificate Group 1 and add <valueType>OU</valueType> at the end. > Add the following elements after the ou element and within the dn tags: > <input> > <name>ou_2</name> > <label>Certificate Group 2</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>OfficeUsers</value> > . > . > . > . > <value>WebServers</value> etc > <minlen>0</minlen> > <required>NO</required> > <valueType>OU</valueType> > </input> > <input> > <name>o_1</name> > <label>Organization 1</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>@ca_organization@</value> > <value>name1</value> > <minlen>0</minlen> > <required>NO</required> > <valueType>O</valueType> > </input> > <input> > <name>o_2</name> > <label>Organization 2</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>name1</value> > <value>name2</value> > <value>name3</value> > <minlen>0</minlen> > <required>NO</required> > <valueType>O</valueType> > </input> > <input> > <name>C</name> > <label>Country</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value></value> > <value>@ca_country@</value> > <value>GB</value> > <minlen>0</minlen> > <required>NO</required> > </input> > <input> > <name>dc_1</name> > <label>Domain Component</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value>mycompany</value> > <minlen>0</minlen> > <required>NO</required> > <valueType>DC</valueType> > </input> > <input> > <name>dc_2</name> > <label>Domain Component</label> > <type>select</type> > <charset>UTF8_MIXED</charset> > <value>com</value> > <minlen>0</minlen> > <required>NO</required> > <valueType>DC</valueType> > </input> > In the subjectAltNames section under Advanced Features immediately after > the OTHER_NAME_1 stanza, add the following four stanzas: > <input> > <name>DNS_1</name> > <label>Name 1</label> > <type>textfield</type> > <charset>UTF8_MIXED</charset> > <value>$ADDITIONAL_ATTRIBUTE_UID</value> > <minlen>0</minlen> > <required>NO</required> > <valueType>DNS</valueType> > </input> > <input> > <name>DNS_2</name> > <label>Name 2</label> > <type>textfield</type> > <charset>UTF8_MIXED</charset> > <minlen>0</minlen> > <required>NO</required> > <valueType>DNS</valueType> > </input> > <input> > <name>DNS_3</name> > <label>Name 3</label> > <type>textfield</type> > <charset>UTF8_MIXED</charset> > <minlen>0</minlen> > <required>NO</required> > <valueType>DNS</valueType> > </input> > <input> > <name>IP</name> > <label>IP Address</label> > <type>textfield</type> > <charset>IPV4_ADDRESS</charset> > <minlen>7</minlen> > <required>NO</required> > <valueType>IP</valueType> > </input> > > Edit config.xml as follows (it is important we modify config.xml last; > configure_etc.sh compares the time stamps and will not update files if > the templates are newer than config.xml): > typical configuration settings . . . . > > You will need to follow a similar procedure for setting up the public > node. To save having to redo all the source code patching, you can > clean the source code on the CA and then copy it to the public node but > you'll still need to edit the configuration files as above. > > Hope this helps - John > > Oh, I forgot how to set up the LDAP authentication: > > cd /usr/local/OpenCA/etc/openca/access_control > > There are four .xml.template files named batch, ca, ra, and node. Edit > each the same way as below: > > Comment out all the internal database information including the password > information. XML comments are like HTML comments, i.e., everything > between <!-- and --> > > Create an LDAP section under the login section, i.e., at the same level > in the hierarchy as the internal database section, with the following > contents: > > <database>ldap</database> > > <ldapdata> > > <host>pdc</host> > > <port>636</port> > > <base>dc=mycompany,dc=com</base> > > <binddn></binddn> <!-- None needed for anonymous access --> > > <bindpw>noauth</bindpw> <!-- Must have some value even for anonymous > access --> > > <usetls>yes</usetls> > > <cacertpath>/etc/pki/CA/certs/</cacertpath> <!-- path to the LDAP > servers's CA cert --> > > <searchattr>uid</searchattr> <!-- the attribute which corresponds to the > value used by the user to login --> > > <ldapdefaultauthmeth>bind</ldapdefaultauthmeth> > > </ldapdata> > > <passwd> > > <roleattribute>uid</roleattribute> <!-- what LDAP attribute to use to > determine the user's role --> > > <rolemapping> > > <roleattributevalue>operator</roleattributevalue> > > <role>RA Operator</role> > > </rolemapping> > > </passwd> > > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
