-
Notifications
You must be signed in to change notification settings - Fork 138
PKI TPS Authenticator CLI
To list authenticators:
$ pki -n caadmin tps-authenticator-find ----------------- 1 entries matched ----------------- Authenticator ID: ldap1 Status: Enabled ---------------------------- Number of entries returned 1 ----------------------------
To page the results, specify the index of the first entry to return with --start
parameter and the number of entries to return with --size
parameter.
To display the authenticator configuration:
$ pki -n caadmin tps-authenticator-show ldap1 --------------------- Authenticator "ldap1" --------------------- Authenticator ID: ldap1 Status: Enabled Properties: auths.instance.ldap1.authCredName: uid auths.instance.ldap1.dnpattern: auths.instance.ldap1.externalReg.certs.recoverAttributeName: certsToAdd auths.instance.ldap1.externalReg.cuidAttributeName: tokenCUID auths.instance.ldap1.externalReg.tokenTypeAttributeName: tokenType auths.instance.ldap1.ldap.basedn: dc=example,dc=com auths.instance.ldap1.ldap.ldapauth.authtype: BasicAuth auths.instance.ldap1.ldap.ldapauth.bindDN: auths.instance.ldap1.ldap.ldapauth.bindPWPrompt: ldap1 auths.instance.ldap1.ldap.ldapauth.clientCertNickname: subsystemCert cert-pki-tomcat auths.instance.ldap1.ldap.ldapconn.host: pki.example.com auths.instance.ldap1.ldap.ldapconn.port: 389 auths.instance.ldap1.ldap.ldapconn.secureConn: False auths.instance.ldap1.ldap.ldapconn.version: 3 auths.instance.ldap1.ldap.maxConns: 15 auths.instance.ldap1.ldap.minConns: 3 auths.instance.ldap1.ldapByteAttributes: auths.instance.ldap1.ldapStringAttributes: mail,cn,uid auths.instance.ldap1.ldapStringAttributes._000: ################################# auths.instance.ldap1.ldapStringAttributes._001: # For isExternalReg auths.instance.ldap1.ldapStringAttributes._002: # attributes will be available as auths.instance.ldap1.ldapStringAttributes._003: # $<attribute>$ auths.instance.ldap1.ldapStringAttributes._004: # attributes example: auths.instance.ldap1.ldapStringAttributes._005: #mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType auths.instance.ldap1.ldapStringAttributes._006: ################################# auths.instance.ldap1.pluginName: UidPwdDirAuth auths.instance.ldap1.ui.description.en: This authenticates user against the LDAP directory. auths.instance.ldap1.ui.id.PASSWORD.credMap.authCred: pwd auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.extlogin: PASSWORD auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.login: password auths.instance.ldap1.ui.id.PASSWORD.description.en: LDAP Password auths.instance.ldap1.ui.id.PASSWORD.name.en: LDAP Password auths.instance.ldap1.ui.id.UID.credMap.authCred: uid auths.instance.ldap1.ui.id.UID.credMap.msgCred.extlogin: UID auths.instance.ldap1.ui.id.UID.credMap.msgCred.login: screen_name auths.instance.ldap1.ui.id.UID.description.en: LDAP User ID auths.instance.ldap1.ui.id.UID.name.en: LDAP User ID auths.instance.ldap1.ui.retries: 3 auths.instance.ldap1.ui.title.en: LDAP Authentication
To download the authenticator configuration into a file:
$ pki -n caadmin tps-authenticator-show ldap1 --output ldap1.xml ------------------------------------------- Stored authenticator "ldap1" into ldap1.xml -------------------------------------------
The configuration is stored in XML format:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Authenticator id="ldap1" xmlns:ns2="http://www.w3.org/2005/Atom"> <Link href="https://pki.example.com:8443/tps/rest/authenticators/ldap1" rel="self"/> <Properties> <Property name="auths.instance.ldap1.authCredName">uid</Property> <Property name="auths.instance.ldap1.dnpattern"></Property> <Property name="auths.instance.ldap1.externalReg.certs.recoverAttributeName">certsToAdd</Property> <Property name="auths.instance.ldap1.externalReg.cuidAttributeName">tokenCUID</Property> <Property name="auths.instance.ldap1.externalReg.tokenTypeAttributeName">tokenType</Property> <Property name="auths.instance.ldap1.ldap.basedn">dc=example,dc=com</Property> <Property name="auths.instance.ldap1.ldap.ldapauth.authtype">BasicAuth</Property> <Property name="auths.instance.ldap1.ldap.ldapauth.bindDN"></Property> <Property name="auths.instance.ldap1.ldap.ldapauth.bindPWPrompt">ldap1</Property> <Property name="auths.instance.ldap1.ldap.ldapauth.clientCertNickname">subsystemCert cert-pki-tomcat</Property> <Property name="auths.instance.ldap1.ldap.ldapconn.host">pki.example.com</Property> <Property name="auths.instance.ldap1.ldap.ldapconn.port">389</Property> <Property name="auths.instance.ldap1.ldap.ldapconn.secureConn">False</Property> <Property name="auths.instance.ldap1.ldap.ldapconn.version">3</Property> <Property name="auths.instance.ldap1.ldap.maxConns">15</Property> <Property name="auths.instance.ldap1.ldap.minConns">3</Property> <Property name="auths.instance.ldap1.ldapByteAttributes"></Property> <Property name="auths.instance.ldap1.ldapStringAttributes">mail,cn,uid</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._000">#################################</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._001"># For isExternalReg</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._002"># attributes will be available as</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._003"># $<attribute>$</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._004"># attributes example:</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._005">#mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType</Property> <Property name="auths.instance.ldap1.ldapStringAttributes._006">#################################</Property> <Property name="auths.instance.ldap1.pluginName">UidPwdDirAuth</Property> <Property name="auths.instance.ldap1.ui.description.en">This authenticates user against the LDAP directory.</Property> <Property name="auths.instance.ldap1.ui.id.PASSWORD.credMap.authCred">pwd</Property> <Property name="auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.extlogin">PASSWORD</Property> <Property name="auths.instance.ldap1.ui.id.PASSWORD.credMap.msgCred.login">password</Property> <Property name="auths.instance.ldap1.ui.id.PASSWORD.description.en">LDAP Password</Property> <Property name="auths.instance.ldap1.ui.id.PASSWORD.name.en">LDAP Password</Property> <Property name="auths.instance.ldap1.ui.id.UID.credMap.authCred">uid</Property> <Property name="auths.instance.ldap1.ui.id.UID.credMap.msgCred.extlogin">UID</Property> <Property name="auths.instance.ldap1.ui.id.UID.credMap.msgCred.login">screen_name</Property> <Property name="auths.instance.ldap1.ui.id.UID.description.en">LDAP User ID</Property> <Property name="auths.instance.ldap1.ui.id.UID.name.en">LDAP User ID</Property> <Property name="auths.instance.ldap1.ui.retries">3</Property> <Property name="auths.instance.ldap1.ui.title.en">LDAP Authentication</Property> </Properties> <Status>Enabled</Status> </Authenticator>
To disable an authenticator, execute the following command:
$ pki -n caadmin tps-authenticator-mod ldap1 --action disable ------------------------------ Modified authenticator "ldap1" ------------------------------
To enable an authenticator, execute the following command:
$ pki -n caadmin tps-authenticator-mod ldap1 --action enable ------------------------------ Modified authenticator "ldap1" ------------------------------
To modify an authenticator configuration, make sure the authenticator is disabled. Download the current configuration into a file using the pki tps-authenticator-show
command above, then edit the file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Authenticator id="ldap1" xmlns:ns2="http://www.w3.org/2005/Atom"> <Link href="https://pki.example.com:8443/tps/rest/authenticators/ldap1" rel="self"/> <Properties> ... <Property name="auths.instance.ldap1.ldap.maxConns">20</Property> <Property name="auths.instance.ldap1.ldap.minConns">5</Property> ... </Properties> <Status>Disabled</Status> </Authenticator>
Then upload the new configuration with the following command:
$ pki -n caadmin tps-authenticator-mod ldap1 --input ldap1.xml ------------------------------ Modified authenticator "ldap1" ------------------------------
Finally, make sure the authenticator is enabled again.
To create a new authenticator, download an existing authenticator configuration into a file using the pki tps-authenticator-show
command above. Edit the file, replace the old authenticator ID with the new one, and make the necessary changes.
Then create the new authenticator with the following command:
$ pki -n caadmin tps-authenticator-add --input ldap2.xml --------------------------- Added authenticator "ldap2" ---------------------------
Make sure the new authenticator is enabled.
To delete an authenticator, make sure the authenticator is disabled, then execute the following command:
$ pki -n caadmin tps-authenticator-del ldap2 ----------------------------- Deleted authenticator "ldap2" -----------------------------
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |