osdir.com
mailing list archive

Subject: [Pam_PKCS11] LDAP mapper - msg#00050

List: encryption.opensc.user

Date: Prev Next Index Thread: Prev Next Index
Hello,

I tried setting up the LDAP mapper (ldap_mapper) from Pam_PKCS11 and I
have a few questions on it.

How works the LDAP mapper? How get ldap_mapper the user certificate, how
get it the username to do that? What is the process behind?

What means "Scope of search", what is that:

0 = LDAP_SCOPE_BASE
1 = LDAP_SCOPE_ONE
2 = LDAP_SCOPE_SUB

Moreover, what is the differnce between "binddn" and "base" entry?

Can I use ldap_mapper with a Windoze Active Directory?

What is the sense behinde "basedir", what files must I create there or
what does it do?

[CUT=/etc/pam_pkcs11/pam_pkcs11.conf]
[...]
# Directory ( ldap style ) mapper
mapper ldap {
[...]

# where base directory resides
basedir = /etc/pam_pkcs11/mapdir;

[...]

# Scope of search: 0 = x, 1 = y, 2 = z
scope = 2;

# DN to bind with. Must have read-access for user entries under
"base"
binddn = "cn=pam,o=example,c=com";
passwd = "xyz";

base = "ou=People,o=example,c=com";

[...]
}
[...]
[/CUT]

Further more, I had compiled Pam_PKCS11 v0.5.3 with "--with-curl
--with-ldap --with-pcsclite" and e.g. pklogin_finder says, I had not
compiled with "--with-ldap". Why?

[CUT=pklogin_finder.log]
[...]
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:169: LDAP mapper started.
DEBUG:ldap_mapper.c:170: debug = 1
DEBUG:ldap_mapper.c:171: ignorecase = 0
DEBUG:ldap_mapper.c:172: ldaphost = myLdapHost
DEBUG:ldap_mapper.c:173: ldapport = 389
DEBUG:ldap_mapper.c:174: scope = 2
DEBUG:ldap_mapper.c:175: binddn =
C=DE,O=Siemens,serialNumber=ZZZ[...],CN=Siemens Issuing[...]
DEBUG:ldap_mapper.c:176: passwd =
DEBUG:ldap_mapper.c:177: base =
C=DE,O=Siemens,serialNumber=ZZZ[...],CN=Siemens Issuing[...]
DEBUG:ldap_mapper.c:178: attribute = userCertificate
DEBUG:ldap_mapper.c:179: filter =
(&(objectClass=posixAccount)(uid=%s))
DEBUG:mapper_mgr.c:197: Inserting mapper [ldap] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:subject_mapper.c:116: Subject mapper started. debug: 1, mapfile:
file:///etc/pam_pkcs11/subject_mapping, icase: 0
DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null'
DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list
DEBUG:pklogin_finder.c:147: verifing the certificate for the key #1
DEBUG:cert_vfy.c:259: adding ca certificate lookup dir
/etc/pam_pkcs11/cacerts
DEBUG:cert_vfy.c:274: adding crl lookup dir /etc/pam_pkcs11/crls
DEBUG:cert_vfy.c:306: certificate is valid
DEBUG:cert_vfy.c:151: crl policy: 3
DEBUG:cert_vfy.c:151: crl policy: 1
DEBUG:cert_vfy.c:176: extracting crl distribution points
DEBUG:cert_vfy.c:200: downloading crl from
ldap://[...].siemens.net/[...]
DEBUG:uri.c:531: parsing uri:
DEBUG:cert_vfy.c:210: download_crl() failed: get_from_uri() failed:
parse_uri() failed: Compiled without ldap support
DEBUG:cert_vfy.c:200: downloading crl from
http://[...].siemens.com/[...]
[...]
[/CUT]

Thanks in advanced.

Best regards

Philippe Stellwag

Siemens AG
A&D MC RD3
Tel.: +49 (9131) 98-3972
Mobile: +49 (162) 45 13 336
mailto:philippe.stellwag@xxxxxxxxxxx

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Heinrich
v. Pierer;
Managing Board: Klaus Kleinfeld, Chairman, President and Chief Executive
Officer;
Johannes Feldmayer, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Juergen
Radomski,
Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer
Registered offices: Berlin and Munich
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB
6684
WEEE Reg. No. DE 23691322


Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

Re: PKCS#15: max_pin_length

Addendum. Unforunately, it's more worse. I wrote that up to 16 character pins are usable. That is true for the pin only. If I use a more than 8 character pin for storing of data, I got an error: max_pin_length in pkcs15.profile and in cardos.profile for example 15 (or 16). pkcs15-init --erase-card --create-pkcs15 --no-so-pin pkcs15-init --store-pin --auth-id 01 --label "Hans User" --pin USERPIN --puk "" pkcs15-init --store-data data.txt --label DATA --auth-id 01 --pin USERPIN sec.c:201:sc_pin_cmd: returning with: Invalid arguments Failed to verify user PIN (ref=0x1) Failed to store data object: Invalid arguments The same procedure with max_pin_length 8 is successful without any messages. Mike. -- View this message in context: http://www.nabble.com/PKCS-15%3A-max_pin_length-tf3605656.html#a10092089 Sent from the OpenSC - User mailing list archive at Nabble.com.

Next Message by Date: click to view message preview

Re: PKCS#15: data file with pin protected read access, howto?

This is a multi-part message in MIME format. Michael Roehner wrote: I tried the patch. Now I'm able to read the data with: pkcs15-tool --read-data-object DATA I have to enter the pin and the data file is read. BUT pkcs15-tool --read-data-object DATA --pin USERPIN fails furthermore. The --pin argument is ignored. ack, next try ;-) Nils Index: src/tools/pkcs15-tool.c =================================================================== --- src/tools/pkcs15-tool.c (Revision 3148) +++ src/tools/pkcs15-tool.c (Arbeitskopie) @@ -324,16 +324,22 @@ if (verbose) printf("Reading data object with label '%s'\n", opt_data); - r = sc_pkcs15_read_data_object(p15card, cinfo, &data_object); - if (r) { - fprintf(stderr, "Data object read failed: %s\n", sc_strerror(r)); - if (r == SC_ERROR_FILE_NOT_FOUND) - continue; /* DEE emulation may say there is a file */ + r = authenticate(objs[i]); + if (r >= 0) { + r = sc_pkcs15_read_data_object(p15card, cinfo, &data_object); + if (r) { + fprintf(stderr, "Data object read failed: %s\n", sc_strerror(r)); + if (r == SC_ERROR_FILE_NOT_FOUND) + continue; /* DEE emulation may say there is a file */ + return 1; + } + r = print_data_object("Data Object", data_object->data, data_object->data_len); + sc_pkcs15_free_data_object(data_object); + return r; + } else { + fprintf(stderr, "Authentication error: %s\n", sc_strerror(r)); return 1; } - r = print_data_object("Data Object", data_object->data, data_object->data_len); - sc_pkcs15_free_data_object(data_object); - return r; } fprintf(stderr, "Data object with label '%s' not found.\n", opt_data); return 2; @@ -353,7 +359,6 @@ for (i = 0; i < count; i++) { int idx; struct sc_pkcs15_data_info *cinfo = (struct sc_pkcs15_data_info *) objs[i]->data; - struct sc_pkcs15_data *data_object; printf("Reading data object <%i>\n", i); printf("applicationName: %s\n", cinfo->app_label); @@ -369,16 +374,20 @@ printf("\n"); } else printf("NONE\n"); - printf("Path : %s\n", sc_print_path(&cinfo->path)); - r = sc_pkcs15_read_data_object(p15card, cinfo, &data_object); - if (r) { - fprintf(stderr, "Data object read failed: %s\n", sc_strerror(r)); - if (r == SC_ERROR_FILE_NOT_FOUND) - continue; /* DEE emulation may say there is a file */ - return 1; + printf("Path: %s\n", sc_print_path(&cinfo->path)); + printf("Auth ID: %s\n", sc_pkcs15_print_id(&objs[i]->auth_id)); + if (objs[i]->auth_id.len == 0) { + struct sc_pkcs15_data *data_object; + r = sc_pkcs15_read_data_object(p15card, cinfo, &data_object); + if (r) { + fprintf(stderr, "Data object read failed: %s\n", sc_strerror(r)); + if (r == SC_ERROR_FILE_NOT_FOUND) + continue; /* DEE emulation may say there is a file */ + return 1; + } + r = list_data_object("Data Object", data_object->data, data_object->data_len); + sc_pkcs15_free_data_object(data_object); } - r = list_data_object("Data Object", data_object->data, data_object->data_len); - sc_pkcs15_free_data_object(data_object); } return 0; } @@ -854,7 +863,10 @@ return r; pin_info = (sc_pkcs15_pin_info_t *) pin_obj->data; - pin = get_pin("Please enter PIN", pin_obj); + if (opt_pin != NULL) + pin = opt_pin; + else + pin = get_pin("Please enter PIN", pin_obj); return sc_pkcs15_verify_pin(p15card, pin_info, pin, pin? strlen((char *) pin) : 0);

Previous Message by Thread: click to view message preview

PKCS#15: max_pin_length

I'am using OpenSC 0.11.2-rc1 with Siemens CardOS M4.01a. In cardos.profile I increased max_pin_length to 32. But pkcs15-init --store-pin do a PUT DATA OCI with pin length 16 (--pin arg < 16 chars, 0 padded up to 16 chars) without any message. If --pin arg is > 16 chars, an error message is shown: "invalid pin length: nn (max 16)". pkcs15-tool --change-pin do a CHANGE REFERENCE DATA with right two 32 byte keys and therefore must fail. If I change max_pin_length to 16, all is ok. Is 16 a defined maximum somewhere in the specs? Then ALL the tools shall warn about this even --pin arg is < 16 chars. Otherwise it seems to be an error. Mike. -- View this message in context: http://www.nabble.com/PKCS-15%3A-max_pin_length-tf3605656.html#a10073568 Sent from the OpenSC - User mailing list archive at Nabble.com.

Next Message by Thread: click to view message preview

unsupported card driver default

 Hello;   Thank you for answering my question before. Now, I have an other problem; I am using a smarcard wich has SMARTCOS as operating system. In the opensc.conf file a set of card drivers has been defined. My question is : What are changes that i can make to deal about SMARTCOS card, it has the following ATR : 3B 8C 40 FA 80 81 05 52 01 01 A0 00 00 01 50 01; I can do some changes, but I am not sure that all the required updates are taken into account. Best regards Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by