LDAP certificate publish
The gateway can be configured to automatically publish S/MIME certificates, generated by the built-in CA, to an external LDAP.
The LDAP publish script will try to lookup the DN for the user and if found, the certificate will be added to the user entry. If the user DN is not found by, the certificate will not be added unless
add_dn_if_not_found is set.
Enabling LDAP certificate publish requires some configuration from the command line.
Login to the gateway console with SSH.
Windows users can for example use the free putty SSH cient.
Enable the service:
sudo ln -s /usr/share/djigzo-event/conf/spring/event-certificate-created.xml /usr/share/djigzo/conf/spring/spring.d/
Copy the default script to the directory from which scripts will be executed:
sudo cp /usr/share/djigzo-event/scripts/event-certificate-created.sh /usr/share/djigzo/scripts/scripts.d/
The settings for the publish script, like for example the LDAP host, should be configured to match the companies LDAP.
The default settings can be overridden using the default file
sudo vi /etc/default/cm-event-certificate-created-settings
The following settings can be set:
This is the LDAP host to connect to. This is a require parameter and should be set to the companies LDAP server.
The format should be
[SCHEME]://[FQDN]:[PORT]where [SCHEME] should be
The DN of the LDAP tree to bind to.
The LDAP password.
The DN of the LDAP tree where the search for the user should start. The
The search scope can be used to limit the search. Select
childrento specify a base object, one-level, subtree, or children search. The default is sub.
Specify how aliases dereferencing is done. Should be one of
find. The default is
If set to true, the existing certificate will be deleted before importing the new certificate. The default is false.
If set to true, and the DN for the user is not found, a new DN will be created. The DN will be created at the configured
cnset to the email address of the user. The default is false.
example of the added LDAP entry:
dn: firstname.lastname@example.org,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: email@example.com sn: Unknown mail: firstname.lastname@example.org userCertificate;binary:: ...
At minimal, the following variables should be changed to match your LDAP server:
Example settings file for looking a certificate on certifikat.dk while excluding gmail.com and outlook.com:
ldap_uri="ldap://ldap.example.com" ldap_bind_dn="cn=admin,dc=example,dc=com" ldap_password="openldap" ldap_base_dn="ou=People,dc=example,dc=com" delete_before_import=true add_dn_if_not_found=true
Test whether the script can publish a certificate to the ldap server:
Testing requires a test certificate to be available on the command line. If no test certificate is available, a dummy test certificate can be generated with openssl
openssl req -newkey rsa:2048 -keyout test.key -nodes -subj "/CN=example.com" -out test.csr openssl x509 -req -days 1825 -sha256 -in test.csr -signkey test.key -out test.cer
cat test.cer | /usr/share/djigzo/scripts/scripts.d/event-certificate-created.sh --email [email protected]
Note: Replace email@example.com with a valid email address for which the certificate should be published to LDAP.
If the publish was successful, the following output should be shown:
DN firstname.lastname@example.org,ou=People,dc=example,dc=com found for email email@example.com modifying entry "[email protected],ou=People,dc=example,dc=com" modifying entry "[email protected],ou=People,dc=example,dc=com" Certificate for firstname.lastname@example.org added to DN email@example.com,ou=People,dc=example,dc=com
if the publish was not successul, the returned error message should provide more info. For example if the user DN was not found and if
add_dn_if_not_found was not set the following error is reported:
DN for firstname.lastname@example.org not found
sudo service djigzo restart
Now when the gateway generates a new certificate, the certificate will be published to LDAP.
Check the back-end log file to see whether the back-end starts without any problems:
tail -f /var/log/djigzo.log
Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.