On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < [email protected]> wrote:
> Tomasz Torcz via FreeIPA-users wrote: > >> ACME also has a realm configuration: > >> > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md > >> > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc > >> so there could be an issue there. > > > > This look to be configured, but I found a possible discrepancy in > "password": > > > > $ cat /etc/pki/pki-tomcat/acme/realm.conf > > # VERSION 2 - DO NOT REMOVE THIS LINE > > authType=BasicAuth > > class=org.dogtagpki.acme.realm.DSRealm > > groupsDN=ou=groups,o=ipaca > > usersDN=ou=people,o=ipaca > > url=ldaps://kaitain.pipebreaker.pl:636 > > configFile=/etc/pki/pki-tomcat/ca/CS.cfg > > username=acme-kaitain.pipebreaker.pl > > password=<40-character long text string> > > > > While userPassword:: field of uid=acme-kaitain.pipebreaker.pl > ,ou=people,o=ipaca > > contains very long base64 string, which decodes to 447 string starting > > with {PBKDF2_SHA256}. How to make sure it's corresponds to the same > > value? > > > > This is the password for the username in the file. It is basically > unused by IPA as IPA uses client auth with the RA agent certificate. > > rob > Looks like the realm is configured with BasicAuth, so it should be using bindDN and bindPassword params as described here: https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc If you want to use SslClientAuth, I think you would need to specify the nickname param: https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/realm/LDAPRealm.java#L112 https://github.com/dogtagpki/pki/blob/master/base/server/src/main/java/com/netscape/cmscore/ldapconn/LdapAuthInfo.java#L36 https://github.com/dogtagpki/pki/wiki/Configuring-Client-Certificate-Authentication-to-Internal-Database But IIRC in IPA case it's configured to reuse the internaldb connection defined in CS.cfg so these params don't need to be specified again. Is there a working IPA instance with ACME that can be compared against? -- Endi S. Dewata
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
