Skip to content

Configuring Client Certificate Authentication

Jump to bottom
Endi S. Dewata edited this page Apr 28, 2023 · 1 revision

Exporting Client Certificate

$ certutil -L -d <database> -n <nickname> -r > testuser.crt

Creating DS User

$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
uid: testuser
cn: Test User
EOF

Mapping Client Certificate to DS User

Edit /etc/dirsrv/slapd-pki-tomcat/certmap.conf:

# search entire directory for (uid=<UID in subject DN>)
certmap example     CN=CA Signing Certificate,O=EXAMPLE
example:DNComps
example:FilterComps uid

Enabling Client Certificate Authentication

$ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
EOF

Verifying Client Certificate Authentication

Verify with openldap-clients and NSS database:

$ echo internal=Secret.123 > password.txt
$ LDAPTLS_CACERTDIR=<directory> \
    LDAPTLS_CERT=<nickname> \
    LDAPTLS_KEY=password.txt \
    ldapsearch -H ldaps://$HOSTNAME:636 \
    -b "dc=example,dc=com" "(objectClass=*)"

See Also

Clone this wiki locally