Write code to provide access to DB through certificates. Modify CS startup code to access DB through certs. The User should have access only to the CS suffix.
Additional steps needed to set up client auth for dogtag. This is because we These steps will be automatically set up in IPA, but they need to be documented for the standalone case.
certmap ipaca CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM ipaca:CmapLdapAttr seeAlso ipaca:verifycert on
where the first line is the issuer dn of the CA cert for your security domain CA.
authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca authz.instance.DirAclAuthz.ldap.ldapconn.host=vm-100.idm.lab.bos.redhat.com authz.instance.DirAclAuthz.ldap.ldapconn.port=636 authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true
internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.host=vm-100.idm.lab.bos.redhat.com internaldb.ldapconn.port=636 internaldb.ldapconn.secureConn=true
Pushed to master and dogtag 9
Just for documentation completeness. The fix for this issue occurred on dogtag 9 in the following commits:
2566d4ddfb533d81fe6203d8457b52e7423b418e ada9213433a122e83c7d0cc0c04a4711ae003a79 ff4d47d6f176c5f7bc1d2848943c6098f8463253
The acls required for the new db user are specified in a new manager.ldif file, which is copied here so that anyone who wants to add a similar user can provide the relevant acls.
dn: ou=csusers,cn=config objectClass: top objectClass: organizationalUnit ou: csusers
dn: {rootSuffix} changetype: modify add: aci aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)
dn: cn=ldbm database,cn=plugins,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)
dn: cn=config changetype: modify add: aci aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)
dn: ou=csusers,cn=config changetype: modify add: aci aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)
dn: cn="{rootSuffix}",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)
dn: cn="{rootSuffix}",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)
dn: cn="{rootSuffix}",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)
dn: cn=tasks,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
Metadata Update from @vakwetu: - Issue assigned to vakwetu - Issue set to the milestone: Dogtag 10.0.0.a1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/577
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.