-
Notifications
You must be signed in to change notification settings - Fork 139
PKI Server CA Authentication Plugin CLI
Endi S. Dewata edited this page Aug 4, 2022
·
2 revisions
From Dogtag 10.x pki console is going to be deprecated. This console have may features but equivalent CLI’s are not present. Authentication plug-ins helps, to provide connectivity between dogtag instances to LDAP database, files, etc.
The pki-server ca-auth-plugin
will provide interface for admin to configure authentication plugins.
$ pki-server ca-auth-manager-add -t SysAuth -c org.class.example.com.SystemAuth -i topology-02-CA Auth plugin registered.
$ pki-server ca-auth-manager-del SysAuth -i topology-02-CA Auth plugin manager SysAuth deleted.
$ pki-server ca-auth-manager-find -i topology-02-CA Configured Plugin Managers. =========================== Manager ID: FlatFileAuth Manager Class: com.netscape.cms.authentication.FlatFileAuth Manager ID: CMCUserSignedAuth Manager Class: com.netscape.cms.authentication.CMCUserSignedAuth Manager ID: UidPwdGroupDirAuth Manager Class: com.netscape.cms.authentication.UidPwdGroupDirAuthentication Manager ID: UserPwdDirAuth Manager Class: com.netscape.cms.authentication.UserPwdDirAuthentication Manager ID: SharedToken Manager Class: com.netscape.cms.authentication.SharedSecret Manager ID: SessionAuthentication Manager Class: com.netscape.cms.authentication.SessionAuthentication Manager ID: UidPwdPinDirAuth Manager Class: com.netscape.cms.authentication.UidPwdPinDirAuthentication Manager ID: AgentCertAuth Manager Class: com.netscape.cms.authentication.AgentCertAuthentication Manager ID: TokenAuth Manager Class: com.netscape.cms.authentication.TokenAuthentication Manager ID: UidPwdDirAuth Manager Class: com.netscape.cms.authentication.UidPwdDirAuthentication Manager ID: SSLclientCertAuth Manager Class: com.netscape.cms.authentication.SSLclientCertAuthentication Manager ID: CMCAuth Manager Class: com.netscape.cms.authentication.CMCAuth
Create instance of SharedToken
authentication plugin:
$ pki-server ca-auth-plugin-add -i topology-02-CA \ -n sharedTok2 \ -t SharedToken \ -h pki1.example.com \ -p 3389 \ --dnPattern "UID=\$attr.uid" \ --stringAttribute mail \ --byteAttributes mail \ --ldapBaseDN "o=topology-02-CA-CA" \ --bindDN "cn=Directory Manager" \ --password SECret.123 \ --authType basicAuth \ --attr "mail2" Added plugin sharedTok2
Create instance of UidPwdDirAuth
authentication plugin:
$ pki-server ca-auth-plugin-add -i topology-02-CA \ -n uidpwd2 \ -t UidPwdDirAuth \ -h pki1.example.com \ -p 3389 \ --dnPattern "UID=\$attr.uid" \ --stringAttribute mail \ --byteAttributes mail \ --ldapBaseDN "o=topology-02-CA-CA" \ --ldapAttrName "mail" \ --ldapAttrDesc "mail" Added plugin uidpwd2
Add authentication plugin using file. (scope future)
$ pki-server ca-auth-plugin-show uidpwd2 -i topology-02-CA Instance Name: uidpwd2 Plugin Name: UidPwdDirAuth DN Pattern: UID=$attr.uid Hostname: pki1.example.com Port: 3389 Secure Connection: false Version: 3 Base DN: o=topology-02-CA-CA LDAP Bytes Attributes: mail LDAP String Attributes: mail
If you want to store plugin in to the file.
$ pki-server ca-auth-plugin-show uidpwd2 -i topology-02-CA -o /tmp/plug.cfg Instance Name: uidpwd2 Plugin Name: UidPwdDirAuth DN Pattern: UID=$attr.uid Hostname: pki1.example.com Port: 3389 Secure Connection: false Version: 3 Base DN: o=topology-02-CA-CA LDAP Bytes Attributes: mail LDAP String Attributes: mail Plugin stored in /tmp/plug.cfg.
There are some plugins which are by default present, you can use following CLI to view them
$ pki-server ca-auth-plugin-find -i topology-02-CA Available plugins: ================== Configured Plugin instances. ============================ Instance Name: AgentCertAuth Plugin Name: AgentCertAuth Plugin Group: Certificate Manager Agents Instance Name: CMCUserSignedAuth Plugin Name: CMCUserSignedAuth Instance Name: SSLclientCertAuth Plugin Name: SSLclientCertAuth Instance Name: SessionAuthentication Plugin Name: SessionAuthentication Instance Name: TokenAuth Plugin Name: TokenAuth Instance Name: flatFileAuth Plugin Name: FlatFileAuth Authentication Attributes: PWD Defer On Failure: true File name: /var/lib/pki/topology-02-CA/conf/ca/flatfile.txt Key Attributes: UID Instance Name: raCertAuth Plugin Name: AgentCertAuth Plugin Group: Registration Manager Agents Instance Name: sharedTok2 Plugin Name: SharedToken DN Pattern: UID=$attr.uid Bind DN: cn=Directory Manager Bind PW Prompt: Rule sharedTok2 Hostname: pki1.example.com Port: 3389 Secure Connection: false Version: 3 Base DN: o=topology-02-CA-CA Auth Type: basicAuth LDAP Bytes Attributes: mail LDAP String Attributes: mail Shared Token Attribute: mail2 Instance Name: uidpwd2 Plugin Name: UidPwdDirAuth DN Pattern: UID=$attr.uid Hostname: pki1.example.com Port: 3389 Secure Connection: false Version: 3 Base DN: o=topology-02-CA-CA LDAP Bytes Attributes: mail LDAP String Attributes: mail
$ pki-server ca-auth-plugin-del -i topology-02-CA uidpwd2 Plugin uidpwd2 removed from instance topology-02-CA
Store templates in to the file and use them to add auth plugin instance (scope future)
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |