|Applies To||Keon Certificate Authority 6.5.1|
Sun ONE Directory Server 5.2
Microsoft Active Directory
|Issue||How to publish certificates from RSA Keon Certificate Authority to an external LDAP (Sun ONE or Active Directory) using email from certificates' subject DN|
External LDAP (Sun ONE or Active Directory) is configured as follows:
Other details and constraints are as follows:
- Full city names are used in the external LDAP as values for OU. For example, OU=<some-city-x> may look like OU=Chicago.
- CN in the DN of user objects in LDAP contain userid values (e.g., ?jdoe?) rather than full name of the users (e.g., ?John Doe?). For example, a user John Doe may exist at a DN ?CN=jdoe,OU=users,OU=Chicago,OU=branchoffices,O=sales,DC=acme,DC=com?.
- MAIL attribute of the user objects in LDAP contain unique values
- Subject DN of the certificates generated through Keon CA contain the attributes CN, OU, C, and EA/EMAIL
- CN attribute in certificates' subject DN contain full name of users (e.g., ?John Doe?)
- OU attribute in certificates' subject DN contain 3 letter abbreviations of cities (e.g. BOS for Boston)
- The only attribute value common between the certificates generated by Keon CA and the user objects in LDAP where the certificates need to be published to is email
Keon CA must be configured to publish certificates to correct user objects in the external LDAP. User objects are present in the external LDAP, and Keon CA need not create any user objects, only publish the certificates.
|Resolution||Configure ?External Publishing? section of the jurisdiction configuration as follows (Keon CA administrative interface => CA Operations workbench => view a CA => select a jurisdiction under 'Jurisdiction Configuration' and click on 'Configure' button => select the section 'External Publishing'):|
Publish Certificates: Checked
Host: <LDAP host name>
Port: <LDAP port number>
Bind DN: <LDAP bind DN>
Bind Password: <LDAP bind password>
Base DN: O=sales,DC=acme,DC=com
Create DN From Certificate DN: Not Checked
Certificate DN: MAIL
[IMPORTANT NOTE: If you enter all lower case value (e.g., ?mail?) in the ?Certificate DN? box, this value will be changed to an all uppercase value after saving the jurisdiction settings. Also, this specific attribute name is used to construct the search filter. This attribute name need not be present in the certificate DN, and if so, then an appropriate DN Mapping must be specified as listed below.]
DN Mapping: MAIL -> email
[IMPORTANT NOTE: Any value entered in the ?From? box is considered case sensitive. So, this value must be all in uppercase to ensure it matches to the value entered above in the ?Certificate DN? box. Values entered in the ?To? box are case insensitive.]
Use Search to Create DN: Checked
End-Entity Class: <user-object?s objectclass>
[Example: ?inetorgperson? for Sun ONE Directory Server; ?User? for Active Directory]
End-Entity Certificate Field: userCertificate
Create End Entity As: This field must be left empty as user objects already exist in external LDAP and need not be created by Keon CA
Save the above configuration, and test by publishing an existing end-entity certificate or issue a new test certificate. The certificate should be published to the external LDAP.
|Legacy Article ID||a29496|