Chapter 15. LDAP

Table of Contents

1. Supported options in interface configurations
2. LDAP schema specification
2.1. Used objectclasses
2.2. Supported attributes
2.3. Common definitions for distinguished names
2.4. Special definitions for user certificates
3. Sourcecodeorganization
3.1. Structure of the code
3.2. The relevant commands
3.3. export-import.lib
3.4. ldap-utils.lib
3.5. OpenCA::LDAP

Be warned - this is a developer documentation which only documents the possibilities and technical background of OpenCA ldap caode but this is not a howto or a user documentation.

1. Supported options in interface configurations

The configuration is splitted into two parts - a OpenCA related part and a LDAP related part. The OpenCA related part conists only of four options - the LDAP activation, automatic LDAP updates during imports and distinguished name manipulations for CA objects like CA certificates and CRLs. These options can be configured in the interface configurations in OPENCADIR/etc/servers/.
LDAP

If you set this option to "yes" then the LDAP code will be activated.

updateLDAPautomatic

This option will be used by the node interface. If the value is yes then the LDAP server will be updated automatically during imports of certificates, CRRs or CRLs.

LDAP_CRL_Issuer

Some users want to store the CRL in a special node of the LDAP server which is not identical with the issuer of the CRL. This can be happen if the user specifies a special CRL Distribution Point (CDP) which differs from the subject of the CA certificate. Here you can specify this special distinguished name. Please remember that OpenCA is today not able to add this node automatically if it is not present.

LDAP_CA_DN

Some users want to store the CA certificate in a not standard conform node which means that there is perhaps an already existent directory which conflicts with the PKI structure. Here they can add the distinguished name of this special node. This node can be automatically added by OpenCA.

The LDAP related part of the configuration can be found in OPENCADIR/etc/ldap.xml. This central configuration file avoids double configurations which can produce many errors and confusion because you are sure that you changed it but you only did it for one interface. The isolated configration allows better names for the configuration options too.
host

This is the hostname of your LDAP server.

port

This is the port where your LDAP server listens.

suffix/dn
This is the suffix (OpenLDAP terminology) of your LDAP server. You can add here several suffixes if your LDAP server supports this feature (e.g. OpenLDAP v2). Every suffix must be placed in a seperate dn tag. The suffix tag is the bracket for all those suffixes.
login

The bind DN of the user which OpenCA uses to add data to the server.

passwd

The passphrase for OpenCA's ldap account.

protocol_version

OpenCA supports LDAP v2 and v3. The default is v2 because all servers can support v2. Several new distributions especially of Linux deactivates the LDAP v2 support. So if your OpenCA LDAP code completely fails check first the protocol versions of OpenCA and your LDAP server.

Some other options like ldaptls and ldapsasl require LDAP v3. So be really careful which protocol you use. If your LDAP server supports protocol version 3 then please use it. It avoids a lot of trouble.

tls

Use no or yes to deactivate or activate TLS. Please remember that this option only works with LDAP v3.

sasl

Use no or yes to deactivate or activate SASL. Please remember that this option only works with LDAP v3. We use CRAM-MD5 for passphrase hashing.

excluded_roles/role
OpenCA supports the possibility to exclude roles from certificate publishing. This can be useful for security reason and be required by privacy laws. If you have such a special role simply add it to to this options.