neuron ring wrote: > > Hi lambam, > > I am trying to do LDAP client certificate mapping. I had given an > insight of my configuration. > > My certmap.conf file: > > certmap example ou=employees,o=us.com <http://us.com> -------------? > this is the DN of the CA issuer, > example:verifycert on > example:DNComps cn,email,roomNumber > Try example:DNComps ou,o > > example:FilterComps l,email,uid,telephoneNumber > example:FilterComps cn > > example:CmapLdapAttr certSubjectDN > I don't think you want to use CmapLdapAttr See http://directory.fedoraproject.org/wiki/Howto:CertMapping for more information > > > Generation of CA cert: > > certutil -S -n "CertCA" -s "ou= employees,o= us.com <http://us.com>" > -x -t "CT,," -m 1000 -v 120 -d <path/to/instance cert db> > -z noise.txt ?f pwdfile.txt > > Is this correct. > > I assume ou=employees,o=us.com <http://us.com> is my CA cert issuer. > So I am using it as issuerDN value in certmap.conf. > > creating client certificate. > > certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com > <http://us.com> " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d > <path/to/instance cert db> -z noise.txt ?f pwdfile.txt > > and adding userCertificate;binary attribute to that user entry, after > creating binary certificate. > > certutil -L -d <instance-path> -n "certuser" -r >usercert.bin > > When I try to ldapsearch: > > ldapsearch -h myhost -p 636 -Z -P > /etc/opt/dirsrv/slapd-<instance>/cert8.db -N " certuser " -K > /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b "o=us.com > <http://us.com>" cn=certuser > > ldap_sasl_bind: Invalid credentials > ldap_sasl_bind: additional info: client certificate mapping failed > > But when I change the issuerDN in certmap.conf file to whatever dn > (even if it is non-existing and invalid) I am getting the search > Result properly. But the criteria is the issuerDN in certmap.conf > should be exactly the same DN whose issues the CA certificate. > > The problem is whenever I use correct issuerDN in first line of > certmap.conf file I am getting error. > > I am totally confused. Can somebody help me to get rid of this problem? > > Thanks in advance, > Neuron Ring. > > Hello Neron Ring. > > > Certificate to LDAP Mapping: > > http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf > > Page 198 ish. > > API: > ---- > > >From page 201 of the above guide: > > > < You can use the Certificate Mapping API to create your own > properties. For > > < information on using the Certificate Mapping API, see ?Certificate > Mapping SDKs? > > < at the following URL - which is followed by a defunct link. > > Try here, rather: > > http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/ > > I hope this helps, laters. I'll keep an eye out for further questions > along this line. > > > -------------------------------------------------------------------------------- > Date: Tue, 24 Mar 2009 17:51:50 +0530 > From: neuronring at gmail.com <mailto:neuronring at gmail.com> > To: fedora-directory-users at redhat.com > <mailto:fedora-directory-users at redhat.com> > Subject: Certificate to LDAP Mapping API > > Hi all, > > I need to use ?Certificate to LDAP Mapping? functionality. > > The README file in the source ldapserver/lib/ldaputil/examples path > suggests: > Refer "Certificate to LDAP Mapping API" documentation to find out > about the various API functions and how you can write your > plug-in. > > And also to refer ?Managing servers? manual. But I couldn?t get those > documents. How can I write my own plug-in for LDAP Mapping? > > Or what can I do with Certmap.conf file to configure Certificate to > LDAP Mapping. > > Can somebody provide link to that document or explain > what is Certificate to LDAP Mapping. > > Thanks in advance, > Neuron Ring. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090328/4ebf45b8/attachment.bin
