Accessing PKI Database - dogtagpki/freeipa GitHub Wiki
This page describe the process to access PKI database in IPA.
To use basic authentication, specify the bind DN and password:
$ ldapsearch \
-H ldap://$HOSTNAME \
-x \
-D "cn=Directory Manager" \
-w Secret.123 \
-b "o=ipaca" \
-s one \
-LLL \
dn
Note: The command should contain -x, -D, and -w options.
The search operation should return these entries:
dn: ou=people,o=ipaca dn: ou=groups,o=ipaca dn: ou=requests,o=ipaca dn: cn=crossCerts,o=ipaca dn: ou=ca,o=ipaca dn: ou=replica,o=ipaca dn: ou=ranges,o=ipaca dn: cn=aclResources,o=ipaca dn: ou=Security Domain,o=ipaca dn: ou=acme,o=ipaca
Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access:
[20/Mar/2023:19:13:07.077242137 -0400] conn=111 op=0 BIND dn="cn=Directory Manager" method=128 version=3
Find the subsystem certificate nickname in /etc/pki/pki-tomcat/ca/conf/CS.cfg:
$ grep internaldb.ldapauth.clientCertNickname /etc/pki/pki-tomcat/ca/conf/CS.cfg internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
To use client certificate authentication, specify the NSS database, certificate nickname, and password file:
$ LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias \
LDAPTLS_CERT="subsystemCert cert-pki-ca" \
LDAPTLS_KEY=/etc/pki/pki-tomcat/alias/pwdfile.txt \
ldapsearch \
-H ldaps://$HOSTNAME:636 \
-b "o=ipaca" \
-s one \
-LLL \
dn
Note: The command should not contain -x, -D, or -w options.
The search operation should return these entries:
dn: ou=people,o=ipaca dn: ou=groups,o=ipaca dn: ou=requests,o=ipaca dn: cn=crossCerts,o=ipaca dn: ou=ca,o=ipaca dn: ou=replica,o=ipaca dn: ou=ranges,o=ipaca dn: cn=aclResources,o=ipaca dn: ou=Security Domain,o=ipaca dn: ou=acme,o=ipaca
Check the DS access log at /var/log/dirsrv/slapd-EXAMPLE-COM/access:
[21/Sep/2016:21:53:42.063195010 +0200] conn=49 TLS1.2 256-bit AES-GCM; client CN=CA Subsystem,O=EXAMPLE.COM; issuer CN=Certificate Authority,O=EXAMPLE.COM [21/Sep/2016:21:53:42.066776737 +0200] conn=49 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca
The client certificate should be mapped to pkidbuser.