National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

The MyProxy CA includes LDAP support for mapping usernames (specified via myproxy-logon -l) to subject distinguished names (DN) in issued certificates, as an alternative to the certificate_mapfile option in the myproxy-server.config file. The MyProxy CA supports both regular LDAP connections and LDAP over SSL. The server retrieves the DN for the user either from the DN of the returned record itself (the default behavior) or from a record attribute optionally specified in the configuration file (using the ca_ldap_dn_attribute directive). LDAP basic authentication is supported and the configuration file may specify a "connect as" DN and passphrase with which to authenticate to the server.

Building LDAP Support

  1. Install OpenLDAP version 2.3 (or later). Using OpenLDAP packages from your operating system vendor is recommended if possible.

    If you plan to use LDAP over SSL/TLS, be sure your OpenLDAP libraries are built with TLS support (i.e., using the ./configure --with-tls option).

    Only OpenLDAP libraries are required, not the server, so (for example) you can configure your OpenLDAP build like this:

    ./configure --prefix=/usr/local/openldap-for-myproxy --disable-slapd

  2. Install the Globus Toolkit. The best method is to follow the instructions for building and installing only MyProxy using the Globus Toolkit. Any version of the Globus Toolkit compatible with MyProxy (currently GT 2.4 or later) should work. Be sure to obtain X.509 user and host credentials before proceeding.
  3. Untar the latest MyProxy release and run

    ./configure --with-flavor=gcc32dbg --with-openldap=/usr

    changing the flavor and openldap install paths as appropriate. The configure routines will search in the /lib and /include directories specified in the path for the appropriate header and library files. Then run

    make install

    to compile MyProxy with the LDAP extensions in the myproxy-server.
  4. Finally, configure your MyProxy server according to the MyProxy Administrator's Guide. Be sure to configure the ca_ldap options in the myproxy-server.config file as appropriate for your LDAP server.

The LDAP Search Mechanism

The MyProxy server will bind to the configured LDAP server, optionally using LDAP basic authentication, and will perform a SUBTREE search using the filter (ca_ldap_uid_attribute=username) with the ca_ldap_uid_attribute configured in the myproxy-server.config file. The server is expected to return one record. Any other result is considered an error. The DN is extracted from the ca_ldap_dn_attribute, if configured in the myproxy-server.config; otherwise, MyProxy will use the DN of the record itself. The value of the DN attribute must be in one of LDAP V2, V3 or DCE/OSF formats. Verification is done via the OpenLDAP DN parsing routines. If the retrieved DN passes validation, it is then passed back to the CA for processing.

Caveats

As described above, the schema/layout of the user database must conform to a certain format (i.e., the form of the filter, a single searchbase DN with one record returned). If the optional cal_ldap_dn_attribute directive is set, there should be only one attribute with that name in the returned record, and that attribute should have only one value. Additionally, the DN supplied in that attribute must conform to the aforementioned formats.

When using either a supplied DN or the record DN, validation is only done on the format and not contents of the DN. All DN attribute prefixes must be compatible with those allowed in an X.509 certificate. The DN might pass formatting validation but still contain values that are not compatible with use in an X.509 certificate name.

There are certain external configuration issues (/etc/ldap.conf or ~/.ldaprc) required to enable SSL support in the environment that the myproxy-server is running in. It is identical to what would be required to ssl-enable the ldapsearch command line utility. These configuration issues fall outside of the scope of this document.

It is expected that the server that is being bound to speaks LDAP V3.

The support is based on the recent OpenLDAP (2.3.7) stable releases. All calls are based on current non-deprecated functions. This has not been tested against toolkits older than 2.3.7 or any other LDAP toolkits.

MyProxy CA LDAP support was contributed by Monte Goode from Lawrence Berkeley National Laboratory.

Last modified 07/28/06.
©2000-2016 Board of Trustees of the University of Illinois.