LDAP Certificate Authentication
Security domain controllers can be configured to perform certificate authentication using an LDAP server. When certificate authentication is used and a security domain requestor attempts to connect to a metaspace, the user will be prompted to enter the following:
1. Path to a PKCS#12 (.p12) file to use for authentication.
2. Password for the private key inside of the PKCS#12 file.
The authentication information is passed to the security domain controller, which tries to authenticate the user against the LDAP server configured in the security policy file.
To configure the security policy file to perform LDAP certificate authentication with an LDAP server, the authentication setting uses the following format:
authentication=userpwd;source=ldap;name=<LDAP object name>; host=<LDAP server name>;securePort=<port number>;trustStore=<LDAP keystore>; baseDN=<DN of parent>;hint=<message displayed to user>
where the secure LDAP connection parameters are:
- name
- Name of the object to query LDAP for (for example, cn for common name, uid for unique ID).
- host
- The fully qualified domain name of the LDAP server (for example, ldapsrvr.com).
- securePort
- The port on which LDAP clients should connect to the LDAP server using SSL/TLS (default: 636)
- truststore
- A file that contains the secure LDAP server's certificate chain
- baseDN
- The distinguished name of the parent of the LDAP subtree (for example: dc=users,dc=com).
- hint
- A message to be displayed to the user as a hint of what they should enter.
When LDAP certificate authentication is used, a secure LDAP server must always be used. The security domain controller uses the contents of the truststore to authenticate the LDAP server when establishing a connection to the LDAP server. The truststore format can be a p7b file containing only certificates and certificate chains. If the LDAP server certificate is self-signed, the truststore can be a .pem certificate file or a binary DER format file.