From fd6f7c5b0821194bbf043bb923f2bba0444343c6 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Mon, 12 Sep 2011 13:21:28 +0000
Subject: [PATCH] More on pass through authentication. Still needs a procedure/example on PTA to Active Directory
---
opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-pta.xml | 254 ++++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 243 insertions(+), 11 deletions(-)
diff --git a/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-pta.xml b/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
index d2e6030..a7e7432 100644
--- a/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
+++ b/opendj-sdk/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
@@ -87,6 +87,63 @@
remote server or servers to redirect binds, and you need to know how you map
user entries in OpenDJ to user entries in the remote directory.</para>
+ <procedure xml:id="configure-ssl-to-test-pta">
+ <title>To Set Up SSL Communication For Testing</title>
+
+ <para>When performing pass through authentication, you no doubt protect
+ communications between OpenDJ and the server providing authentication. If
+ you test using SSL with self-signed certificates, and you do not want
+ the client blindly to trust the server, follow these steps to import
+ the authentication server's certificate into the OpenDJ key store.</para>
+
+ <step>
+ <para>Export the server certificate from the authentication server.</para>
+ <para>How you perform this step depends on the authentication directory
+ server. With OpenDJ, you can export the certificate as shown here.</para>
+ <screen>$ cd /path/to/PTA-Server/config
+$ keytool -exportcert -rfc -alias server-cert -keystore keystore
+ -storepass `cat keystore.pin` > /tmp/pta-srv-cert.pem</screen>
+ </step>
+ <step>
+ <para>Make note of the host name used in the certificate.</para>
+ <para>You use the host name when configuring the SSL connection. With
+ OpenDJ, you can view the certificate details as shown here.</para>
+ <screen>$ keytool -list -v -alias server-cert -keystore keystore -storepass `cat keystore.pin`
+Alias name: server-cert
+Creation date: Sep 12, 2011
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=<emphasis role="strong">opendj.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
+Issuer: CN=<emphasis role="strong">opendj.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
+Serial number: 4e6dc429
+Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
+Certificate fingerprints:
+ MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
+ SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
+ Signature algorithm name: SHA1withRSA
+ Version: 3</screen>
+ </step>
+ <step>
+ <para>Import the authentication server certificate into OpenDJ's
+ keystore.</para>
+ <screen>$ cd /path/to/OpenDJ/config
+$ keytool -importcert -alias pta-cert -keystore truststore
+ -storepass `cat keystore.pin` -file /tmp/pta-srv-cert.pem
+Owner: CN=opendj.example.com, O=OpenDJ Self-Signed Certificate
+Issuer: CN=opendj.example.com, O=OpenDJ Self-Signed Certificate
+Serial number: 4e6dc429
+Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
+Certificate fingerprints:
+ MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
+ SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+Trust this certificate? [no]: yes
+Certificate was added to keystore</screen>
+ </step>
+ </procedure>
+
<procedure xml:id="configure-pta-policy">
<title>To Configure an LDAP Pass Through Authentication Policy</title>
@@ -95,25 +152,200 @@
are part of the server configuration, and therefore not replicated.</para>
<step>
- <para>TODO</para>
+ <para>Set up an authentication policy for pass through
+ authentication to the authentication server.</para>
+ <screen>$ dsconfig -p 4444 -h `hostname` -D "cn=directory manager" -w password
+ create-password-policy --type ldap-pass-through --policy-name "PTA Policy"
+ --set primary-remote-ldap-server:Mark-Craigs-MacBook-Pro.local:2636
+ --set mapped-attribute:uid --set mapped-search-base-dn:"dc=PTA Server,dc=com"
+ --set mapping-policy:mapped-search --set use-ssl:true
+ --set trust-manager-provider:JKS -X -n</screen>
+ <para>The policy shown here maps identities under
+ <literal>dc=example,dc=com</literal> to identities under
+ <literal>dc=PTA Server,dc=com</literal>, where users have the same
+ <literal>uid</literal> values on both servers. The policy here also
+ uses SSL between OpenDJ and the authentication server.</para>
</step>
- </procedure>
-
- <procedure xml:id="assign-pta-to-user">
-
- <title>To Assign a Pass Through Authentication Policy To a User</title>
<step>
- <para>TODO</para>
+ <para>Check that your policy has been added to the list.</para>
+ <screen>$ dsconfig -p 4444 -h `hostname` -D "cn=directory manager" -w password
+ list-password-policies --property use-ssl
+
+Password Policy : Type : use-ssl
+------------------------:-------------------:--------
+Default Password Policy : password-policy : -
+PTA Policy : ldap-pass-through : true
+Root Password Policy : password-policy : -</screen>
</step>
</procedure>
- <procedure xml:id="assign-pta-to-group">
-
- <title>To Assign a Pass Through Authentication Policy To a Group</title>
+ <procedure xml:id="configure-pta-to-ad">
+ <title>To Configure Pass Through Authentication To Active Directory</title>
+
<step>
<para>TODO</para>
</step>
</procedure>
</section>
-</chapter>
+
+ <section xml:id="assigning-pta">
+ <title>Assigning Pass Through Authentication Policies</title>
+
+ <para>You assign authentication policies in the same way as you
+ assign password policies, by using the
+ <literal>ds-pwp-password-policy-dn</literal> attribute.</para>
+
+ <note>
+ <para>Although you assign the pass through authentication policy using
+ the same attribute as for password policy, the authentication policy is
+ not in fact a password policy. Therefore, the user with a pass through
+ authentication policy does not have a value for the operational attribute
+ <literal>pwdPolicySubentry</literal>.</para>
+ <screen>$ ldapsearch -p 1389 -b dc=example,dc=com uid=user.0 pwdPolicySubentry
+dn: uid=user.0,ou=People,dc=example,dc=com
+</screen>
+ </note>
+
+ <procedure xml:id="assign-pta-to-user">
+ <title>To Assign a Pass Through Authentication Policy To a User</title>
+
+ <para>Users depending on pass through authentication no longer need a local
+ password policy, as they no longer authenticate locally.</para>
+
+ <para>Examples in the following procedure work for this user, whose
+ entry on OpenDJ is as shown. Notice that the user has no password set. The
+ user's password on the authentication server is
+ <literal>password</literal>.</para>
+
+ <programlisting language="ldif">dn: uid=user.0,ou=People,dc=example,dc=com
+cn: Aaccf Amar
+description: This is the description for Aaccf Amar.
+employeeNumber: 0
+givenName: Aaccf
+homePhone: +1 225 216 5900
+initials: ASA
+l: Panama City
+mail: user.0@maildomain.net
+mobile: +1 010 154 3228
+objectClass: person
+objectClass: inetorgperson
+objectClass: organizationalperson
+objectClass: top
+pager: +1 779 041 6341
+postalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE 50369
+postalCode: 50369
+sn: Amar
+st: DE
+street: 01251 Chestnut Street
+telephoneNumber: +1 685 622 6202
+uid: user.0
+</programlisting>
+
+ <para>This user's entry on the authentication server also has
+ <literal>uid=user.0</literal>, and the pass through authentication policy
+ performs the mapping to find the user entry in the authentication
+ server.</para>
+
+ <step>
+ <para>Prevent users from changing their own password policies.</para>
+ <screen>$ cat protect-pta.ldif
+dn: ou=People,dc=example,dc=com
+changetype: modify
+add: aci
+aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
+ "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
+ word policy";deny (write)(userdn = "ldap:///self");)
+$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f protect-pta.ldif
+Processing MODIFY request for ou=People,dc=example,dc=com
+MODIFY operation successful for DN ou=People,dc=example,dc=com</screen>
+ </step>
+ <step>
+ <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
+ attribute.</para>
+ <screen>$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password
+dn: uid=user.0,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-pwp-password-policy-dn
+ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config
+
+Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com</screen>
+ </step>
+ <step>
+ <para>Check that the user can authenticate through to the authentication
+ server.</para>
+ <screen>$ ldapsearch -p 1389 -b dc=example,dc=com -D
+ uid=user.0,ou=People,dc=example,dc=com -w password uid=user.0 cn sn
+dn: uid=user.0,ou=People,dc=example,dc=com
+cn: Aaccf Amar
+sn: Amar
+</screen>
+ </step>
+ </procedure>
+
+ <procedure xml:id="assign-pta-to-group">
+ <title>To Assign a Pass Through Authentication Policy To a Group</title>
+
+ <para>Examples in the following steps use the pass through authentication
+ policy as defined above. Kirsten Vaughan's entry has been reproduced on
+ the authentication server under <literal>dc=PTA
+ Server,dc=com</literal>.</para>
+
+ <step>
+ <para>Create a subentry to assign a collective attribute that sets the
+ <literal>ds-pwp-password-policy-dn</literal> attribute for group
+ members' entries.</para>
+
+ <screen>$ cat pta-coll.ldif
+dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
+objectClass: collectiveAttributeSubentry
+objectClass: extensibleObject
+objectClass: subentry
+objectClass: top
+cn: PTA Policy for Dir Admins
+ds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
+ cn=config
+subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
+ cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
+
+$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -a -f pta-coll.ldif
+Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
+ADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com</screen>
+ </step>
+ <step>
+ <para>Check that OpenDJ has applied the policy.</para>
+ <substeps>
+ <step>
+ <para>Make sure you can bind as the user on the authentication
+ server.</para>
+ <screen>$ ldapsearch -p 2389 -D "uid=kvaughan,ou=People,dc=PTA Server,dc=com"
+ -w password -b "dc=PTA Server,dc=com" uid=kvaughan
+dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: top
+givenName: Kirsten
+uid: kvaughan
+cn: Kirsten Vaughan
+sn: Vaughan
+userPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
+ou: People
+mail: jvaughan@example.com
+</screen>
+ </step>
+ <step>
+ <para>Check that the user can authenticate through to the authentication
+ server from OpenDJ.</para>
+ <screen>$ ldapsearch -p 1389 -D "uid=kvaughan,ou=People,dc=example,dc=com" -w password
+ -b dc=example,dc=com uid=kvaughan cn sn
+dn: uid=kvaughan,ou=People,dc=example,dc=com
+cn: Kirsten Vaughan
+sn: Vaughan</screen>
+ </step>
+ </substeps>
+ </step>
+ </procedure>
+ </section>
+</chapter>
--
Gitblit v1.10.0