forked from 389ds/389-ds-base
-
Notifications
You must be signed in to change notification settings - Fork 0
Configuring Client Certificate Authentication
Endi S. Dewata edited this page Apr 28, 2023
·
1 revision
$ certutil -L -d <database> -n <nickname> -r > testuser.crt
$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: uid=testuser,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson uid: testuser cn: Test User EOF
Edit /etc/dirsrv/slapd-pki-tomcat/certmap.conf:
# search entire directory for (uid=<UID in subject DN>) certmap example CN=CA Signing Certificate,O=EXAMPLE example:DNComps example:FilterComps uid
$ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: cn=encryption,cn=config changetype: modify replace: nsSSLClientAuth nsSSLClientAuth: allowed EOF
Verify with openldap-clients and NSS database:
$ echo internal=Secret.123 > password.txt
$ LDAPTLS_CACERTDIR=<directory> \
LDAPTLS_CERT=<nickname> \
LDAPTLS_KEY=password.txt \
ldapsearch -H ldaps://$HOSTNAME:636 \
-b "dc=example,dc=com" "(objectClass=*)"