7. LDAP

OpenCA provides an LDAP interface for users to download certificates from a central repository. This interface can be utilised by browser address books and specialised LDAP clients.

Before the OpenCA RA components can write certificates and CRLs to the directory you must have an LDAP compliant directory installed and available to the RA components (this can be on the same or different machine). One example of an appropriate directory is the OpenLDAP project.

7.1. Configuration of the Directory

A full description of the configuration of your LDAP directory is outside the scope of this document. Important points to note are:
  • Ensure that the following schemas are included (probably in the slapd.conf file):
    • core.schema

    • cosine.schema

    • inetorgperson.schema

  • Ensure the directory is started with the appropriate suffix (e.g. o=myorg,c=gb).

  • Ensure the rootdn is specified.

  • Ensure the root password is specified.

7.2. Configuration of the RA components

Two configuration files must be configured for the RA component to make use of the LDAP directory to store certificates; OPENCADIR/etc/servers/online.conf and OPENCADIR/etc/servers/ldap.conf. OpenCA use the following variables to configure the LDAP-server (ensure the following entries match your ldap server):
LDAP

If you set this option to yes or on then the LDAP code will be activated.

ldapserver

This is the hostname of your LDAP server.

ldapport

This is the port where your LDAP server listens.

basedn

This option contains the base-DN of your LDAP-server. It is the root of your LDAP-server. This is the same thing which is called suffix in OpenLDAP's configurationfile. You can add here several suffixes if your LDAP server supports this feature (e.g. OpenLDAP v2). The suffixes must be seperated by whitespaces (e.g. "o=Humboldt-University of Berlin, c=DE" "o=Charite, c=DE").

ldaproot

This is the DN of the user which OpenCA uses to bind to the LDAP-server and add or remove entries. The most user set here the rootuser of the LDAP-server but this is not mandatory.

ldappwd

This is the passphrase for the DN which is used to bind to the server (ldaproot). Actually this is a cleartext passphrase.

ldapversion

OpenCA supports LDAP v2 and v3. The default is v2 because all servers can support v2. Several new distributions especially of Linux deactivates the LDAP v2 support. So if your OpenCA LDAP code completely fails check first the protocol versions of OpenCA and your LDAP server.

Some other options like ldaptls and ldapsasl require LDAP v3. So be really careful which protocol you use. If your LDAP server supports protocol version 3 then please use it. It avoids a lot of trouble.

ldaptls

Use no or yes to deactivate or activate TLS. Please remember that this option only works with LDAP v3.

ldapsasl

Use no or yes to deactivate or activate SASL. Please remember that this option only works with LDAP v3. We use CRAM-MD5 for passphrase hashing.

updateLDAPautomatic

This option will be used by the node interface. If the value is yes then the LDAP server will be updated automatically during imports of certificates, CRRs or CRLs.

LDAP_CRL_Issuer

Some users want to store the CRL in a special node of the LDAP server which is not identical with the issuer of the CRL. This can be happen if the user specifies a special CRL Distribution Point (CDP) which differs from the subject of the CA certificate. Here you can specify this special distinguished name. Please remember that OpenCA is today not able to add this node automatically if it is not present.

LDAP_CA_DN

Some users want to store the CA certificate in a not standard conform node which means that there is perhaps an already existent directory which conflicts with the PKI structure. Here they can add the distinguished name of this special node. This node can be automatically added by OpenCA.

LDAPexcludedRoles

OpenCA supports the possibility to exclude roles from certificate publishing. This can be useful for security reason and be required by privacy laws. If you have such a special role simply add it to to this options (e.g. "Corporate Security" "Security Officer" "IDS").

7.3. Writing Certifciates to the Directory

As long as the option updateLDAPautomatic is set to yes the RA will attempt to upload certificates to the directory after an import. Before this can happen the directory must be initialised and the appropriate structure must be implemented. In this version of OpenCA this initialization is done automatically.