README
¶
About
This repository contains tools to manage x509 certificates in an LDAP directory (like Microsoft Active Directory).
These tools are part of a larger certificate management infrastructure at KIT.
certificate2ldap
certificate2ldap retrieves certificates from an AMQP broker (like rabbitmq) and publishes
them into an LDAP directory service according to custom publication heuristics. Multiple email addresses via SANs
are supported. All modified LDAP objects are then cleaned to only have minimal certificate subsets.
cleanupldapcerts
cleanupldapcerts finds all LDAP objects that have userCertificate attributes and cleans up their certificates.
Installation
Install Linux. Install the Go compiler.
Create a new system user certificate2ldap.
Become certificate2ldap:
su - certificate2ldap
Create some directories:
mkdir -p ~/src && cd ~/src
Clone this repo:
git clone https://git.scc.kit.edu/KIT-CA/certificate2ldap.git
Get all dependencies and build all tools:
cd certificate2ldap
go mod tidy
cd cmd/certificate2ldapd
go install -ldflags="-s -w"
cd ../..
cd cmd/cleanupldapcerts
go install -ldflags="-s -w"
cd ../..
Copy the example config and edit accordingly:
mkdir -p ~certificate2ldap/.config
cp config.example.toml ~certificate2ldap/.config/certificate2ldap.toml
$EDITOR ~certificate2ldap/.config/certificate2ldap.toml
Install the systemd unit files and start the services:
ln -t /etc/systemd/system/ systemd/
systemctl daemon-reload
systemctl enable -now certificate2ldapd.service
systemctl enable -now cleanupldapcerts.timer
Documentation
¶
Index ¶
- Constants
- Variables
- func ExtractFromProxyAddresses(pa []string) []string
- func FilterSampleCertificates(path string, Whitelists, Blacklists ctb.ExceptionMaps)
- func Statistics(path string)
- type LDAPConfig
- type LDAPConn
- func (lc *LDAPConn) AddCertificate(certificate *x509.Certificate, dryRun bool) (matchingDNs []string, err error)
- func (lc *LDAPConn) CleanupDN(dn string, additionalCerts []*x509.Certificate, ...) (kept, added, deleted, deletedP7 []*x509.Certificate, err error)
- func (lc *LDAPConn) FindUserByProxyAddresses(emailAddresses []string) ([]LDAPUser, error)
- func (lc *LDAPConn) Modify(modifyRequest *ldap.ModifyRequest) (err error)
- func (lc *LDAPConn) Reconnect() (err error)
- func (lc *LDAPConn) Search(searchRequest *ldap.SearchRequest) (results *ldap.SearchResult, err error)
- type LDAPUser
Constants ¶
const (
CONFIGLDAPRETRIES = 16
)
Variables ¶
var ( ErrNothingToPublish = errors.New("Nothing to publish") ErrNoMatchingLDAPObject = errors.New("No matching LDAP objects found") )
var Testcertificate = []byte{}/* 1777 elements not displayed */
Functions ¶
func FilterSampleCertificates ¶
func FilterSampleCertificates(path string, Whitelists, Blacklists ctb.ExceptionMaps)
check a bunch of certificates from AD against our filter function use this to get all the files: ldapsearch -O maxssf=0 -Y GSSAPI -E pr=1000/noprompt -H ldaps://kit-dc-10.kit.edu:636 -tt "(userCertificate=*)" userCertificate
Types ¶
type LDAPConfig ¶
type LDAPConn ¶
type LDAPConn struct {
LDAPConn *ldap.Conn
Config LDAPConfig
}
func NewLDAPConnection ¶
func NewLDAPConnection(config LDAPConfig) (lc *LDAPConn, err error)
create new LDAPConn object and connect+bind to ldap server
func (*LDAPConn) AddCertificate ¶
func (lc *LDAPConn) AddCertificate(certificate *x509.Certificate, dryRun bool) (matchingDNs []string, err error)
AddCertificate adds as certificate to all matching ldap objects
func (*LDAPConn) CleanupDN ¶
func (lc *LDAPConn) CleanupDN(dn string, additionalCerts []*x509.Certificate, whitelists, blacklists ctb.ExceptionMaps, dryRun bool) (kept, added, deleted, deletedP7 []*x509.Certificate, err error)
clean up certificate collection for a specific LDAP object
func (*LDAPConn) FindUserByProxyAddresses ¶
func (*LDAPConn) Modify ¶
Modify is like ldap.Modify, but with reconnect on network error
func (*LDAPConn) Reconnect ¶
re-connect and bind to LDAP server
type LDAPUser ¶
type LDAPUser struct {
DN string
MailAddresses []string
Certificates []*x509.Certificate
}
Source Files
Directories