PKI Server CA Authentication Plugin CLI - dogtagpki/pki GitHub Wiki

Overview

From Dogtag 10.x pki console is going to be deprecated. This console have may features but equivalent CLI’s are not present. Authentication plug-ins helps, to provide connectivity between dogtag instances to LDAP database, files, etc.

The pki-server ca-auth-plugin will provide interface for admin to configure authentication plugins.

Register Authentication plugin manager

$ pki-server ca-auth-manager-add -t SysAuth -c org.class.example.com.SystemAuth -i topology-02-CA
Auth plugin registered.

Remove Authentication plugin manager

$ pki-server ca-auth-manager-del SysAuth -i topology-02-CA
Auth plugin manager SysAuth deleted.

Find Authentication plugin manager

$ pki-server ca-auth-manager-find -i topology-02-CA
  Configured Plugin Managers.
  ===========================
   Manager ID: FlatFileAuth
   Manager Class: com.netscape.cms.authentication.FlatFileAuth

   Manager ID: CMCUserSignedAuth
   Manager Class: com.netscape.cms.authentication.CMCUserSignedAuth

   Manager ID: UidPwdGroupDirAuth
   Manager Class: com.netscape.cms.authentication.UidPwdGroupDirAuthentication

   Manager ID: UserPwdDirAuth
   Manager Class: com.netscape.cms.authentication.UserPwdDirAuthentication

   Manager ID: SharedToken
   Manager Class: com.netscape.cms.authentication.SharedSecret

   Manager ID: SessionAuthentication
   Manager Class: com.netscape.cms.authentication.SessionAuthentication

   Manager ID: UidPwdPinDirAuth
   Manager Class: com.netscape.cms.authentication.UidPwdPinDirAuthentication

   Manager ID: AgentCertAuth
   Manager Class: com.netscape.cms.authentication.AgentCertAuthentication

   Manager ID: TokenAuth
   Manager Class: com.netscape.cms.authentication.TokenAuthentication

   Manager ID: UidPwdDirAuth
   Manager Class: com.netscape.cms.authentication.UidPwdDirAuthentication

   Manager ID: SSLclientCertAuth
   Manager Class: com.netscape.cms.authentication.SSLclientCertAuthentication

   Manager ID: CMCAuth
   Manager Class: com.netscape.cms.authentication.CMCAuth

Add Authentication plugin instance

Create instance of SharedToken authentication plugin:

$ pki-server ca-auth-plugin-add -i topology-02-CA \
    -n sharedTok2 \
    -t SharedToken \
    -h pki1.example.com \
    -p 3389 \
    --dnPattern "UID=\$attr.uid" \
    --stringAttribute mail \
    --byteAttributes mail \
    --ldapBaseDN "o=topology-02-CA-CA" \
    --bindDN "cn=Directory Manager" \
    --password SECret.123 \
    --authType basicAuth \
    --attr "mail2"
Added plugin sharedTok2

Create instance of UidPwdDirAuth authentication plugin:

$ pki-server ca-auth-plugin-add -i topology-02-CA \
    -n uidpwd2 \
    -t UidPwdDirAuth \
    -h pki1.example.com \
    -p 3389 \
    --dnPattern "UID=\$attr.uid" \
    --stringAttribute mail \
    --byteAttributes mail \
    --ldapBaseDN "o=topology-02-CA-CA" \
    --ldapAttrName "mail" \
    --ldapAttrDesc "mail"
Added plugin uidpwd2

Add authentication plugin using file. (scope future)

Show Authentication plugin instance

$ pki-server ca-auth-plugin-show uidpwd2 -i topology-02-CA
   Instance Name: uidpwd2
   Plugin Name: UidPwdDirAuth
   DN Pattern: UID=$attr.uid
   Hostname: pki1.example.com
   Port: 3389
   Secure Connection: false
   Version: 3
   Base DN: o=topology-02-CA-CA
   LDAP Bytes Attributes: mail
   LDAP String Attributes: mail

If you want to store plugin in to the file.

$ pki-server ca-auth-plugin-show uidpwd2 -i topology-02-CA -o /tmp/plug.cfg
  Instance Name: uidpwd2
  Plugin Name: UidPwdDirAuth
  DN Pattern: UID=$attr.uid
  Hostname: pki1.example.com
  Port: 3389
  Secure Connection: false
  Version: 3
  Base DN: o=topology-02-CA-CA
  LDAP Bytes Attributes: mail
  LDAP String Attributes: mail
Plugin stored in /tmp/plug.cfg.

Find Authentication Plugin instances

There are some plugins which are by default present, you can use following CLI to view them

$ pki-server ca-auth-plugin-find -i topology-02-CA
Available plugins:
==================
Configured Plugin instances.
============================
  Instance Name: AgentCertAuth
  Plugin Name: AgentCertAuth
  Plugin Group: Certificate Manager Agents

  Instance Name: CMCUserSignedAuth
  Plugin Name: CMCUserSignedAuth

  Instance Name: SSLclientCertAuth
  Plugin Name: SSLclientCertAuth

  Instance Name: SessionAuthentication
  Plugin Name: SessionAuthentication

  Instance Name: TokenAuth
  Plugin Name: TokenAuth

  Instance Name: flatFileAuth
  Plugin Name: FlatFileAuth
  Authentication Attributes: PWD
  Defer On Failure: true
  File name: /var/lib/pki/topology-02-CA/conf/ca/flatfile.txt
  Key Attributes: UID

  Instance Name: raCertAuth
  Plugin Name: AgentCertAuth
  Plugin Group: Registration Manager Agents

  Instance Name: sharedTok2
  Plugin Name: SharedToken
  DN Pattern: UID=$attr.uid
  Bind DN: cn=Directory Manager
  Bind PW Prompt: Rule sharedTok2
  Hostname: pki1.example.com
  Port: 3389
  Secure Connection: false
  Version: 3
  Base DN: o=topology-02-CA-CA
  Auth Type: basicAuth
  LDAP Bytes Attributes: mail
  LDAP String Attributes: mail
  Shared Token Attribute: mail2

  Instance Name: uidpwd2
  Plugin Name: UidPwdDirAuth
  DN Pattern: UID=$attr.uid
  Hostname: pki1.example.com
  Port: 3389
  Secure Connection: false
  Version: 3
  Base DN: o=topology-02-CA-CA
  LDAP Bytes Attributes: mail
  LDAP String Attributes: mail

Remove Authentication plugin instance

$ pki-server ca-auth-plugin-del -i topology-02-CA uidpwd2
Plugin uidpwd2 removed from instance topology-02-CA

Authentication plugin templates

Store templates in to the file and use them to add auth plugin instance (scope future)

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️