Hello Marco,
Thanks for your reply.
Following you reply, I created an AnyType object "ROOTCERT" with an
AnyTypeClass "ROOTCERT" and a plain schema "rootCert" of type binary
"application/x-x509-ca-cert", in order to upload the root certs that i
need (uploaded ok, no problem here).
I was looking to create the same thing with different names for the
intermediate certs, but before I tried to follow the guidance in you
reply, but i don't really know how to...
I don't know how to proceed with the scripts and the connectors. I saw
that i should create a powershell script to map the functions "create",
"update", "delete", "search", "test"... but I don't know where to start.
So here goes some questions :)
How do I pass arguments to the powershell scripts(like the certs)?
Where should i indicate to the connector that it should run in the
machine X (windows server for example)?
Should i create a connector for each machine that i want the cert on, or
I must solve this with the powershell script (run it only on the windows
server and from there, somehow, spread the certs across the client
machines)?
And about the mapping of the SubjectKeyIdentifier to the plainschema
that i created, can you provide some guidance how to accomplish that?
I have the tools to get the info from the smartcard... So I don't know
if it's possible "edit" the web page, or add a type to syncope like
binary and the button instead of open the dialog to choose the file, it
would run a java applet to get the info and fill the textbox...
Best,
João Graça
On 18/05/2017 16:20, Marco Di Sabatino Di Diodoro wrote:
Il 18/05/2017 16:33, João Graça ha scritto:
Hello,
I have the following scenario that I need to study and implement if
possible:
- Active Directory Server where users will be created (actually
already there)
- Syncope Server to manage users
- Eventually other databases where the users need to be synchronized
with the help of syncope
- Somehow propagate certificates(root and intermediate certs) to the
AD server and machines to allow later login in the windows machines
with smartcards
So far, I managed to connect syncope with the AD and
create/update/delete users and groups.
I also was able to map a plainschema that i created to the
/altSecutiryIndentities/ property on the user in the active
directory, providing there a string like "X509:<SKI>'here goes the
subject key identifier of the user's cert'
With this configuration i can login with the user smartcard in the
windows client machine, to this login work i had to install the root
and intermediate certs in the active directory server and the clients
machines, but here comes the question...
Is there a way to maintain and propagate to server and clients those
certs (root and intermediate) with syncope?
Syncope provides binary fields to store files.
You can use the CMD connector[1][2] (Powershell scripts) to manage the
certs in Active Directory.
And if possible to automate the process of gathering the
SubjectKeyIdentifier of the user certificate to the plainschema that
i created that maps to the /altSecutiryIndentities/.
yes
Regards
M
[1] https://connid.atlassian.net/wiki/display/BASE/CMD
[2] https://github.com/Tirasa/ConnIdCMDBundle
Best,
João Graça
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/
