The MyProxy CA includes LDAP support for mapping usernames (specified via myproxy-logon -l) to subject distinguished names (DN) in issued certificates, as an alternative to the certificate_mapfile option in the myproxy-server.config file. The MyProxy CA supports both regular LDAP connections and LDAP over SSL. The server retrieves the DN for the user either from the DN of the returned record itself (the default behavior) or from a record attribute optionally specified in the configuration file (using the ca_ldap_dn_attribute directive). LDAP basic authentication is supported and the configuration file may specify a "connect as" DN and passphrase with which to authenticate to the server.
Building LDAP Support
The LDAP Search Mechanism
The MyProxy server will bind to the configured LDAP server, optionally using LDAP basic authentication, and will perform a SUBTREE search using the filter (ca_ldap_uid_attribute=username) with the ca_ldap_uid_attribute configured in the myproxy-server.config file. The server is expected to return one record. Any other result is considered an error. The DN is extracted from the ca_ldap_dn_attribute, if configured in the myproxy-server.config; otherwise, MyProxy will use the DN of the record itself. The value of the DN attribute must be in one of LDAP V2, V3 or DCE/OSF formats. Verification is done via the OpenLDAP DN parsing routines. If the retrieved DN passes validation, it is then passed back to the CA for processing.
As described above, the schema/layout of the user database must conform to a certain format (i.e., the form of the filter, a single searchbase DN with one record returned). If the optional cal_ldap_dn_attribute directive is set, there should be only one attribute with that name in the returned record, and that attribute should have only one value. Additionally, the DN supplied in that attribute must conform to the aforementioned formats.
When using either a supplied DN or the record DN, validation is only done on the format and not contents of the DN. All DN attribute prefixes must be compatible with those allowed in an X.509 certificate. The DN might pass formatting validation but still contain values that are not compatible with use in an X.509 certificate name.
There are certain external configuration issues (/etc/ldap.conf or ~/.ldaprc) required to enable SSL support in the environment that the myproxy-server is running in. It is identical to what would be required to ssl-enable the ldapsearch command line utility. These configuration issues fall outside of the scope of this document.
It is expected that the server that is being bound to speaks LDAP V3.
The support is based on the recent OpenLDAP (2.3.7) stable releases. All calls are based on current non-deprecated functions. This has not been tested against toolkits older than 2.3.7 or any other LDAP toolkits.
MyProxy CA LDAP support was contributed by Monte Goode from Lawrence Berkeley National Laboratory.