11.6. Using Certificate-Based Authentication
Directory Server allows certificate-based authentication for the command-line tools (which are LDAP clients) and for replication communications. Certificate-based authentication can occur between:
An LDAP client connecting to the Directory Server.
A Directory Server connecting to another Directory Server by replication or chaining.
A single configuration parameter, nsslapd-certdir, in cn=config in dse.ldif lists the directory containing the key, certificate, and security files. The directory name should be unique and specific to the server. For example, the /etc/dirsrv/slapd- directory contains the key and certificate databases only for the Directory Server instance called instance_nameinstance_name. That directory will not contain key and certificate databases for any other server or client, nor will any of the key, certificate, or other security-related files for instance_name be located in any other directory.
The Directory Server 8.0 no longer uses separate files for the key and certificate databases. With the Filesystem Hierarchy Standard, the certificate and key files have been consolidated into a single file, specified in the nsslapd-certdir parameter, and the key and certificate file is stored in the /etc/dirsrv/slapd- directory.
instance_name
Previous versions of Directory Server used a single directory, /opt/redhat-ds/slapd-instance/alias, for all security-related files for all servers, and required a unique prefix, such as slapd-instance-, for the key, certificate, and security-related files. The Directory Server used the attributes nsCertFile and nsKeyFile to give the locations for the key and certificate databases.
To set up certificate-based authentication, do the following:
Create a certificate database for the client and the server or for both servers involved in replication.
In the Directory Server, the certificate database creation automatically takes place when a certificate is installed. For information on creating a certificate database for a client, see Section 11.7, “Configuring LDAP Clients to Use SSL”.
Obtain and install a certificate on both the client and the server or on both servers involved in replication.
Enable TLS/SSL on the server or on both servers involved in replication.
For information on enabling TLS/SSL, refer to Section 11.4, “Starting the Server with SSL Enabled”.
If the Red Hat Console connects to Directory Server over TLS/SSL, selecting Require client authentication disables communication. This is because, although Red Hat Console supports TLS/SSL, it does not have a certificate to use for client authentication.
Map the certificate's distinguished name to a distinguished name known by the directory.
This can set access control for the client when it binds using this certificate.
If Red Hat Console is configured to connect to the Directory Server using TLS/SSL and the Directory Server requires client authentication, the Red Hat Console cannot be used to manage server applications. You must use the appropriate command-line utilities instead.
However, to change the directory configuration to no longer require but allow client authentication in order to use the Red Hat Console, do the following:
Stop the Directory Server. [13]
service dirsrv stop instance
Modify the cn=encryption,cn=config entry by changing the value of the nsSSLClientAuth attribute from required to allowed.
For information on modifying entries from the command-line, see Section 2.2.4, “Adding and Modifying Entries Using ldapmodify”.
Start the Directory Server.
service dirsrv start instance
Now start Red Hat Console.