Configuring ACME with DS Realm - dogtagpki/pki GitHub Wiki
This document describes the process to configure ACME responder to use a DS database for authentication realm. It assumes that the DS database has been installed as described in DS Installation.
Prepare subtrees for ACME users and groups in DS.
A sample LDIF file is available at /usr/share/pki/acme/realm/ds/create.ldif.
This example uses dc=acme,dc=pki,dc=example,dc=com as the base DN.
Import the file with the following command:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
-f /usr/share/pki/acme/realm/ds/create.ldif
A sample realm configuration is available at /usr/share/pki/acme/realm/ds/realm.conf.
To use the DS realm, copy the sample realm.conf into the /var/lib/pki/pki-tomcat/conf/acme folder,
or execute the following command to customize some of the parameters:
$ pki-server acme-realm-mod --type ds \
-DbindPassword=Secret.123
Customize the realm configuration as needed. In a standalone ACME deployment, the realm.conf should look like the following:
class=org.dogtagpki.acme.realm.DSRealm url=ldap://<hostname>:389 authType=BasicAuth bindDN=cn=Directory Manager bindPassword=Secret.123 usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com
In a shared CA and ACME deployment, the realm.conf should look like the following:
class=org.dogtagpki.acme.realm.DSRealm configFile=conf/ca/CS.cfg usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com