LDAP certificate publish

The gateway can be configured to automatically publish S/MIME certificates, generated by the built-in CA, to an external LDAP.

The LDAP publish script will try to lookup the DN for the user and if found, the certificate will be added to the user entry. If the user DN is not found by, the certificate will not be added unless add_dn_if_not_found is set.

Enabling LDAP certificate publish requires some configuration from the command line.

Install

Login to the gateway console with SSH.

Tip

Windows users can for example use the free putty SSH cient.

Enable the service:

sudo ln -s /usr/share/djigzo-event/conf/spring/event-certificate-created.xml /usr/share/djigzo/conf/spring/spring.d/

Copy the default script to the directory from which scripts will be executed:

sudo cp  /usr/share/djigzo-event/scripts/event-certificate-created.sh /usr/share/djigzo/scripts/scripts.d/

Configure

The settings for the publish script, like for example the LDAP host, should be configured to match the companies LDAP.

The default settings can be overridden using the default file /etc/default/cm-event-certificate-created-settings.

sudo vi /etc/default/cm-event-certificate-created-settings

The following settings can be set:

ldap_uri

This is the LDAP host to connect to. This is a require parameter and should be set to the companies LDAP server.

The format should be [SCHEME]://[FQDN]:[PORT] where [SCHEME] should be ldap or ldaps.

Examples:

ldap://ldap.example.com:389
ldaps://10.0.0.2:389
ldap_bind_dn

The DN of the LDAP tree to bind to.

Example:

cn=admin,dc=example,dc=com
ldap_password

The LDAP password.

ldap_base_dn

The DN of the LDAP tree where the search for the user should start. The

Example:

ou=People,dc=example,dc=com
search_scope

The search scope can be used to limit the search. Select base, one, sub, or children to specify a base object, one-level, subtree, or children search. The default is sub.

alias_dereferencing

Specify how aliases dereferencing is done. Should be one of never, always, search, or find. The default is never.

delete_before_import

If set to true, the existing certificate will be deleted before importing the new certificate. The default is false.

add_dn_if_not_found

If set to true, and the DN for the user is not found, a new DN will be created. The DN will be created at the configured ldap_base_dn with cn set to the email address of the user. The default is false.

example of the added LDAP entry:

dn: cn=test@example.com,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
cn: test@example.com
sn: Unknown
mail: test@example.com
userCertificate;binary:: ...

Note

At minimal, the following variables should be changed to match your LDAP server: ldap_uri, ldap_bind_dn, ldap_password and ldap_base_dn

Example settings

Example settings file for looking a certificate on certifikat.dk while excluding gmail.com and outlook.com:

ldap_uri="ldap://ldap.example.com"
ldap_bind_dn="cn=admin,dc=example,dc=com"
ldap_password="openldap"
ldap_base_dn="ou=People,dc=example,dc=com"
delete_before_import=true
add_dn_if_not_found=true

Test

Test whether the script can publish a certificate to the ldap server:

Note

Testing requires a test certificate to be available on the command line. If no test certificate is available, a dummy test certificate can be generated with openssl

openssl req -newkey rsa:2048 -keyout test.key -nodes -subj "/CN=example.com" -out test.csr
openssl x509 -req -days 1825 -sha256 -in test.csr -signkey test.key -out test.cer
cat test.cer | /usr/share/djigzo/scripts/scripts.d/event-certificate-created.sh --email test@example.com

Note: Replace test@example.com with a valid email address for which the certificate should be published to LDAP.

If the publish was successful, the following output should be shown:

DN cn=test@example.com,ou=People,dc=example,dc=com found for email test@example.com
modifying entry "cn=test@example.com,ou=People,dc=example,dc=com"

modifying entry "cn=test@example.com,ou=People,dc=example,dc=com"

Certificate for test@example.com added to DN cn=test@example.com,ou=People,dc=example,dc=com

if the publish was not successul, the returned error message should provide more info. For example if the user DN was not found and if add_dn_if_not_found was not set the following error is reported:

DN for test@example.com not found

Finsh

Restart back-end

sudo service djigzo restart

Now when the gateway generates a new certificate, the certificate will be published to LDAP.

Check the back-end log file to see whether the back-end starts without any problems:

tail -f /var/log/djigzo.log

Note

Make sure the correct root and intermediate certificates are installed on the gateway otherwise the certificates retrieved from LDAP will not be trusted and therefore not used.