-
Notifications
You must be signed in to change notification settings - Fork 137
Setting up CA Database User with LDAP Tools
Endi S. Dewata edited this page Jan 15, 2024
·
2 revisions
This page describes the process to set up a user to access the CA database in DS with LDAP tools.
$ ldapadd \
-H ldap://$HOSTNAME \
-D "cn=Directory Manager" \
-w Secret.123 << EOF
dn: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userState: 1
userType: agentType
EOF
Convert the certificate to DER format:
$ openssl x509 -outform der -in subsystem.crt -out subsystem.der
Get the certificate serial number:
$ openssl x509 -text -noout -in subsystem.crt
...
Serial Number:
5a:a7:13:f5:0f:8b:5e:77:ae:fe:58:7e:4f:d0:c7:da
...
Convert it into decimal format:
$ python
>>> int('5aa713f50f8b5e77aefe587e4fd0c7da', 16)
120498037977510792098276151038707812314
Add the certificate into the user entry:
$ ldapmodify \
-H ldap://$HOSTNAME \
-D "cn=Directory Manager" \
-w Secret.123 << EOF
dn: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: description
description: 2;<decimal serial number>;CN=CA Signing Certificate;CN=Subsystem Certificate
-
add: seeAlso
seeAlso: CN=Subsystem Certificate
-
add: userCertificate
userCertificate:< file:subsystem.der
-
EOF
$ ldapmodify \
-H ldap://$HOSTNAME \
-D "cn=Directory Manager" \
-w Secret.123 << EOF
dn: cn=Subsystem Group,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
-
dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
-
EOF
$ sed \
-e 's/{rootSuffix}/dc=example,dc=com/g' \
-e 's/{dbuser}/uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com/g' \
/usr/share/pki/server/database/ds/db-access-grant.ldif \
| tee db-access-grant.ldif
$ ldapadd \
-H ldap://$HOSTNAME \
-D "cn=Directory Manager" \
-w Secret.123 \
-f db-access-grant.ldif \
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |