Specification document for LDAP API

Similar documents
Specifikationsdokument for OCES II

Specification document for the RID-CPR service

Specification document for the PID-CPR service

Introduction to NemID and the NemID Service Provider Package

An LDAP/X.500 based distributed PGP Keyserver

Using LDAP Authentication in a PowerCenter Domain

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

NemID JS Developer Support site. Guidelines

Your Question. Article: Question: How do I Configure LDAP with Net Report?

Terms and Concepts in NemID

LDAP Directory Integration with Cisco Unity Connection

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Content Filtering Client Policy & Reporting Administrator s Guide

Implementation guide for LSS

Configuring Digital Certificates

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Active Directory LDAP Quota and Admin account authentication and management

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

The IVE also supports using the following additional features with CA certificates:

Steps for Basic Configuration

Configuring and Using the TMM with LDAP / Active Directory

Guide. - How to setup secure communication for REST services in Automatisk kortbetaling. Revision 1.3. Nets A/S. Lautrupbjerg 10.

Introduction Installing and Configuring the LDAP Server Configuring Yealink IP Phones Using LDAP Phonebook...

SSL VPN Portal Options

Cleaning Encrypted Traffic

The following gives an overview of LDAP from a user's perspective.

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

LISTSERV LDAP Documentation

Configuring Sponsor Authentication

Cloudwork Dashboard User Manual

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Configuration Guide BES12. Version 12.3

Token specification for Energinet.dk DataHub

Configure Directory Integration

Getting Started Guide Polycom RealPresence Resource Manager System, Appliance Edition

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

LDAP User Service Guide 30 June 2006

How To Configure Fortigate For Free Software (For A Free Download) For A Password Protected Network (For Free) For An Ipad Or Ipad (For An Ipa) For Free (For Ipad) For Your Computer Or Ip

Application Centric Infrastructure Object-Oriented Data Model: Gain Advanced Network Control and Programmability

SOFTWARE BEST PRACTICES

Assistant Enterprise. User Guide

Secure Web Appliance. SSL Intercept

Securing SAS Web Applications with SiteMinder

Technical Bulletin 41137

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Certificate technology on Pulse Secure Access

Admin Guide Product version: Product date: November, Technical Administration Guide. General

VMware Identity Manager Administration

Server based signature service. Overview

TeliaSonera Server Certificate Policy and Certification Practice Statement

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Configuration Guide BES12. Version 12.2

How To Search For An Active Directory On Goprint Ggprint Goprint.Org (Geoprint) (Georgos4) (Goprint) And Gopprint.Org Gop Print.Org

EVERYTHING LDAP. Gabriella Davis

Novell Identity Manager

LDAP and Active Directory Guide

Copyright 2016 Lexmark. All rights reserved. Lexmark is a trademark of Lexmark International, Inc., registered in the U.S. and/or other countries.

Troubleshooting Active Directory Server

[MS-FSADSA]: Active Directory Search Authorization Protocol Specification

Security certificate management

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Steps to Troubleshoot Error Your CA is not trusted. Please use a trusted CA

Open LDAP Tutorial. Sendio Security Platform Appliance. March 08 Services Update

Configuration Guide BES12. Version 12.1

Increased operational efficiency by providing customers the ability to: Use staff resources more efficiently by reducing troubleshooting time.

Certificate Policy for. SSL Client & S/MIME Certificates

IPedge Feature Desc. 5/25/12

F-Secure Messaging Security Gateway. Deployment Guide

Integrated SSL Scanning

User Management Resource Administrator. Managing LDAP directory services with UMRA

User Management / Directory Services using LDAP

Datasharp Optimum Connect Toolbar

Guidelines for the LSS for NemID interaction design and user selection

Version 9. Active Directory Integration in Progeny 9

FileCruiser. VA2600 SR1 Quick Configuration Guide

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

Configuring idrac6 for Directory Services

Set Up Certificate Validation

Adeptia Suite LDAP Integration Guide

Certificate technology on Junos Pulse Secure Access

Quality Center LDAP Guide

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Integrating With LDAP Directories

Steps to setup authentication and enrolment through LDAP protocol

Ciphermail Gateway Web LDAP Authentication Guide

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

Certificate Path Validation

OpenLDAP Oracle Enterprise Gateway Integration Guide

Transcription:

Nets DanID A/S Lautrupbjerg 10 DK 2750 Ballerup T +45 87 42 45 00 F +45 70 20 66 29 info@danid.dk www.nets-danid.dk CVR no. 30808460 Specification document for LDAP API Nets DanID A/S August 2016 Page 1-14

Table of Contents 1. Purpose and target group... 4 2. LDAP databases... 5 3. Example of a person with NemID with a certificate... 6 3.1 Attributes for a person... 6 4. Example of a corporate signature... 8 5. Example of an employee with a NemID employee signature... 9 6. Example: NemID issuing CA... 10 6.1 Attributes for CA... 10 7. Partial certificate revocation lists... 11 8. Searches... 12 8.1 Searches for a person with NemID with certificate... 12 8.2 Search for certificate revocation list for an issuing CA... 13 9. LDAP clients... 14 9.1 Example of search with ldapsearch... 14 9.2 Example of search with Internet Explorer... 14 Nets DanID A/S August 2016 Page 2-14

Version history 8 February 2010 Version 1.0 TechniWrite 10 June 2010 Version 1.1 MTV 20 January 2011 Version 1.2 MTV 1 February 2011 Version 1.3 MTV 23 February 2011 Version 1.4 CR/SEF 1 March 2012 Version 1.5 PKRIS 4 June 2014 Version 1.6 PHJER 19 February 2015 Version 1.7 KMAIB 4 August 2016 Version 1.8 KMAIB Nets DanID A/S August 2016 Page 3-14

1. Purpose and target group This document is a part of the NemID Service Provider Package. The purpose of the document is to provide a general introduction to LDAP and to describe how data are organised on NemID s LDAP servers. The document is relevant for the service provider if Nets DanID s Security Package does not contain the desired functionality in this area. The document is aimed at the people at the service provider who are responsible for the implementation of NemID. Nets DanID A/S August 2016 Page 4-14

2. LDAP databases An LDAP database is an object-oriented way of storing data. In contrast to a traditional database, it does not contain rows and columns. Data are instead organised as objects with mapped attributes in a tree structure. LDAP databases are traditionally used for storing, for example, user accounts in Unix systems or information from a certification authority. The information stored can be, for example, certificates or certificate revocation lists. Each object in an LDAP database has a distinguished name (DN), which identifies the object unambiguously. The DN serves as a representation of a tree structure. The objects in LDAP can have child objects, and each object can thus be treated as a leaf or an inner node in a tree of objects. An object has one or more object classes mapped, which indicate attributes that are mapped to the object. An attribute can be either mandatory or optional. As a part of the NemID infrastructure, Nets DanID provides access to two publicly available LDAP databases: Certificate LDAP With nodes that represent published end user certificates. Certificate revocation list LDAP With nodes that represent CAs (Certificate Authorities) and certificate revocation lists. Nets DanID A/S August 2016 Page 5-14

3. Example of a person with NemID with a certificate A citizen in Denmark who has a NemID certificate will also be included in NemID s certificate LDAP, if the person has chosen to publish his/her certificate in the address book. The person s DN may then look like this: cn=forename Surname+SerialNumber=PID:9208-2002-2-123456789012, o=no organisational affiliation, c=dk From this you can read: the person s name in the cn field (common name) the person s allocated PID in the serialnumber field the person s organisational affiliation (none) in the o field (organization) the person s country in the c field (country). This corresponds to the following tree structure: C = DK o=no organisational affiliation Cn=First name Last name + SerialNumber Please note that there is also a facility to provide extra information about the person in the ou field (organizationalunit), which is inserted under the o-node. The user will then have the following DN: cn=forename Surname (Young person under 18) +SerialNumber=PID:9208-2002-2-123456789012, ou=young person between 15 and 18,o=No organisational affiliation, c=dk 3.1 Attributes for a person There are the following extra attributes for a person in the Certificate LDAP: Nets DanID A/S August 2016 Page 6-14

Attribute name Content sn mail usercertificate User s surname The user s e-mail address, which is included in the certificate. If the user has chosen not to include the email address in the certificate, this attribute will not be defined. The user s certificate. Only the user s most recent certificate is accessible. Nets DanID A/S August 2016 Page 7-14

4. Example of a corporate signature The LDAP properties for a corporate signature are the same as for a NemID employee signature. The only difference is that the serialnumber contains a UID instead of a RID, as would be the case with an employee signature. Nets DanID A/S August 2016 Page 8-14

5. Example of an employee with a NemID employee signature An employee at a company in Denmark, who has a NemID employee signature, can be found in NemIDs certificate LDAP, if the employee has chosen to publish his or her certificate in the address book. The employee's DN could look as follows: cn = FirstName LastName + serialnumber = CVR :12345678-RID: 123456789012, o = Company Name / / TEL: 12345678, c = U.S. Based on the DN one can conclude the following: The employee's name in the cn (common name) The employee's serial number (which contains the CVR number for his/her company and a serial number) in the serialnumber The employee's organizational affiliation in the field o (organization) The employee's country in the field c (country). This corresponds to the following tree structure: C = DK o=company name // CVR:12345678 Cn=First name Last name + SerialNumber Note that it is also possible to specify the organizational unit, to which the employee is assigned. This is done using the field ou (organizationalunit), which is inserted under the o-node, so that the employee could have the following DN: cn = FirstName LastName + serialnumber = CVR :12345678-RID: 123456789012, OU = Test Department, o = Company Name / / TEL: 12345678, c = U.S. Possible attributes for an employee are the same as for a citizen. Nets DanID A/S August 2016 Page 9-14

6. Example: NemID issuing CA NemID works with the aid of a root CA, which issues certificates exclusively to a number of issuing CAs. Each of these CAs issues a (large) number of certificates, after which it switches to an inactive state, in which it no longer issues certificates, but only administers (e.g. in terms of revocation) the certificates already issued. A NemID certificate is thus always issued by one issuing CA never by the root CA. Both the root CA and the issuing CAs are represented as nodes in the Certificate Revocation List LDAP. The root CA has the following DN: cn=trust2408 OCES Primary CA, o=trust2408, c=dk The issuing CAs have DNs in the following format: cn=trust2408 OCES CA n, o=trust2408, c=dk 6.1 Attributes for CA The CA nodes attributes include the following: Attribute name Content cacertificate certificaterevocationlist The CA s certificate. For the root CA the certificate is selfsigned; for an issuing CA it is signed by the root CA. The full certificate revocation list for the certificates that have been issued by this CA. For the root CA these certificates are for issuing CAs; for an issuing CA they are certificates for citizens. Nets DanID A/S August 2016 Page 10-14

7. Partial certificate revocation lists Under each node that represents an issuing CA there are a number of nodes, each of which contains a part of the full certificate revocation list. These are called partial certificate revocation lists. A partial certificate revocation list contains information about up to 750 certificates, but it is faster and requires less capacity to access than the full certificate revocation list for a CA. The nodes have DNs in the following format: cn=crl1,cn=trust2408 OCES CA n, o=trust2408, c=dk The actual certificate revocation list and the full certificate revocation list are stored in the certificaterevocationlist attribute under the node. To find the partial certificate revocation list that will contain a given citizen s certificate, if the certificate is revoked you must first use the DN of the issuing CA that is in the certificate as issuerdn to locate the issuing CA in LDAP. When you have located this, you can use the X509 extension point crldistributionpoint in the certificate to find DN for the sub-node under the issuing CA that contains the partial certificate revocation list this enables you to perform a search that finds the correct node. If you only need to investigate whether a given certificate for a citizen has been revoked, it will as a rule be more appropriate to use the OCSP protocol. Read more about this in the document entitled Specification document for OCSP, which is part of the NemID Service Provider Package. Nets DanID A/S August 2016 Page 11-14

8. Searches When you want to perform a search, there are a number of necessary parameters: 1. Which LDAP server is to be searched: a. NemID s certificate LDAP is at crtdir.certifikat.dk. b. The certificate revocation list LDAP is at crldir.certifikat.dk. In both cases a TCP connection must be created to port 389. 2. In which search database the search is to start, i.e. which node in the tree is to serve as the root node for the search. 3. To what level you want to search: 1) in the search database node, 2) one level down or 3) in the whole sub-tree of the search database node. 4. Which search filter is to be matched against. 5. Which attributes you wish to have returned for matching nodes. 6. You must also specify whether you want to log on to perform the search. Only anonymous searches in the NemID LDAP databases are supported. It is also not possible to perform wildcard searches via the LDAP protocol. The above parameters must be specified, regardless of which LDAP client is being used, but the mechanism for specifying them can, of course, vary. 8.1 Searches for a person with NemID with certificate If you want to find certificates that belong to a person named Jens Hansen, you must specify the following parameters: Search database Search depth Search filter Attribute o=no organisational affiliation, c=dk Sub cn=jens Hansen usercertificate In this instance a person s name proves to be a poor filter, as there are many people called Jens Hansen. You can instead use the person s email address as a filter. If the Jens Hansen you are looking for has the email address jens@hansen.dk, this can be done using the following search parameters: Search database Search depth Search filter Attribute o=no organisational affiliation, c=dk Sub mail=jens@hansen.dk usercertificate Nets DanID A/S August 2016 Page 12-14

A limited number of search results is returned. The limit is five from OCES II. 8.2 Search for certificate revocation list for an issuing CA To obtain the full revocation list for, for example, issuing CA number I, you can perform a search using the following parameters: Search database Search depth Search filter Attribute o=trust2408, c=dk One cn=trust2408 OCES CA I, o=trust2408, c=dk certificaterevocationlist The full certificate revocation list will then be returned. Nets DanID A/S August 2016 Page 13-14

9. LDAP clients There are many different LDAP clients. Email clients will often have integrated LDAP in their address book functionality this is true, for example, of email clients from Mozilla and Microsoft. At http://www.openldap.org you will find the LDAP client ldapsearch, which is a command line tool. http://www.ldapadministrator.com has a GUI-based LDAP browser client. 9.1 Example of search with ldapsearch The above three search examples could be performed with the following parameters for ldapsearch: > ldapsearch -x -h crtdir.certifikat.dk -b "o=ingen organisatorisk tilknytning, c=dk" "cn=jens Hansen" usercertificate > ldapsearch -x -h crtdir.certifikat.dk -b "o=ingen organisatorisk tilknytning, c=dk" "mail=jens@hansen.dk" usercertificate > ldapsearch -x -h crldir.certifikat.dk -b "o=trust2408, c=dk" s one "cn=trust2408 OCES CA I" certificaterevocationlist It is also possible to find a CA s certificate with the following parameters for ldapsearch: > ldapsearch -x -h crldir.certifikat.dk -s one -b 'o=trust2408,c=dk' '(cn=trust2408 OCES CA I)' cacertificate With the addition of AIA in certificates, it is however possible to find the issuing CA directly by following the given HTTP reference in the user s certificate. 9.2 Example of search with Internet Explorer In addition to the address book s GUI search, Internet Explorer also supports LDAP searches via URL encoding of the search string. This is described in more detail in RFC 2255 (http://www.ietf.org/rfc/rfc2255.txt). The results are displayed in the address book to maintain email security. Nets DanID A/S August 2016 Page 14-14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information