Menu
▾
▴
Re: [Opensc-devel] ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
|
From: Douglas E E. <dee...@gm...> - 2015-04-27 19:12:36
|
DEBUG:ldap_mapper.c:144: do_init():
DEBUG:ldap_mapper.c:393: do_open(): do_init failed
Not having use the pam_pkcs11, It looks like the LDAP URI is wrong, or it needs ldaps://, rather then ldap://
Try to get ldapsearch to work first.
On 4/27/2015 8:32 AM, Emmanuel Nazareno de Lima Ferro wrote:
> Hi guys, sorry if my english sucks!
Sounds OK to me.
>
> I want your help to find out what I am doing wrong using smartcard login with ldap map.
>
> 1) My openldap server has an attribute named cryptPassword I use to login
> 2) My certificate has an attribute named CPF I want to use as login
>
> Using token watchdata, ubuntu 14.04 amd64, libpam-pkcs11 0.6.8-4 amd64
>
> I try to do
> <b>~$ openssl verify -CApath /etc/pam_pkcs11/cacerts </b>
> but it gives me no response.
You need to give the cert to verify.
It may be expecting it on stdin.
>
> ~$ pkcs11_inspect
> DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
> DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
> DEBUG:pkcs11_lib.c:1009: getting function list
> DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
> DEBUG:pkcs11_lib.c:1106: module information:
> DEBUG:pkcs11_lib.c:1107: - version: 2.10
> DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
> DEBUG:pkcs11_lib.c:1109: - flags: 0000
> DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module
> DEBUG:pkcs11_lib.c:1111: - library version: 1.0
> DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
> DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
> DEBUG:pkcs11_lib.c:1037: slot 1:
> DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0
> DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
> DEBUG:pkcs11_lib.c:1049: - flags: 0007
> DEBUG:pkcs11_lib.c:1051: - token:
> DEBUG:pkcs11_lib.c:1057: - label: eferro
> DEBUG:pkcs11_lib.c:1058: - manufacturer: Watchdata Corp.
> DEBUG:pkcs11_lib.c:1059: - model: TimeCos/PK
> DEBUG:pkcs11_lib.c:1060: - serial: WDS01108186o8R7Y
> DEBUG:pkcs11_lib.c:1061: - flags: 060d
> DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
> PIN for token:
> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1579: - type: 00
> DEBUG:pkcs11_lib.c:1580: - id: 28
> DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
> DEBUG:ldap_mapper.c:847: test ssltls = tls
> DEBUG:ldap_mapper.c:849: LDAP mapper started.
> DEBUG:ldap_mapper.c:850: debug = 1
> DEBUG:ldap_mapper.c:851: ignorecase = 0
> DEBUG:ldap_mapper.c:852: ldaphost = my-ldap-addr
> DEBUG:ldap_mapper.c:853: ldapport = 389
> DEBUG:ldap_mapper.c:854: ldapURI = my-ldap-addr my-ldap-addr2
> DEBUG:ldap_mapper.c:855: scope = 2
> DEBUG:ldap_mapper.c:856: binddn = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:857: passwd = estacao@rlsl
> DEBUG:ldap_mapper.c:858: base = dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:859: attribute = userCertificate
> DEBUG:ldap_mapper.c:860: filter = (&(objectClass=posixAccount)(uid=%s))
> DEBUG:ldap_mapper.c:861: searchtimeout = 20
> DEBUG:ldap_mapper.c:862: ssl_on = 2
> DEBUG:ldap_mapper.c:864: tls_randfile =
> DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
> DEBUG:ldap_mapper.c:866: tls_cacertdir =
> DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
> DEBUG:ldap_mapper.c:868: tls_ciphers =
> DEBUG:ldap_mapper.c:869: tls_cert =
> DEBUG:ldap_mapper.c:870: tls_key =
> DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
> DEBUG:pkcs11_inspect.c:126: Found '1' certificate(s)
> DEBUG:pkcs11_inspect.c:130: verifying the certificate #1
> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:450: certificate is valid
> DEBUG:cert_vfy.c:207: crl policy: 0
> DEBUG:cert_vfy.c:210: no revocation-check performed
> DEBUG:cert_vfy.c:464: certificate has not been revoked
> DEBUG:pkcs11_inspect.c:144: Inspecting certificate #1
> Printing data for mapper ldap:
> -----BEGIN CERTIFICATE-----
> MIIHVzCCBT+gAwIBAgIDEsMCMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYDVQQGEwJC
> UjETMBEGA1UEChMKSUNQLUJyYXNpbDEPMA0GA1UECxMGQ1NQQi0xMTswOQYDVQQL
> EzJTZXJ2aWNvIEZlZGVyYWwgZGUgUHJvY2Vzc2FtZW50byBkZSBEYWRvcyAtIFNF
> UlBSTzE0MDIGA1UEAxMrQXV0b3JpZGFkZSBDZXJ0aWZpY2Fkb3JhIGRvIFNFUlBS
> TyBGaW5hbCB2NDAeFw0xNDExMjYxOTE3MzZaFw0xNzExMjUxOTE3MzZaMIGnMQsw
> CQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEZMBcGA1UECxMQUGVzc29h
> IEZpc2ljYSBBMzERMA8GA1UECxMIQVJTRVJQUk8xKzApBgNVBAsTIkF1dG9yaWRh
> ZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxKDAmBgNVBAMTH0VNTUFOVUVMIE5B
> WkFSRU5PIERFIExJTUEgRkVSUk8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
> AoIBAQCR3zXAdudH3f9ink4EvkVZmvNwp912HlmW9GIh8EiBX1LNmb0RT54X8/Sw
> W+vaj/udVN+J2mwYQLrZ6n88SbU1/suDqjjjkCV6EkeQ87TUyQ6qUblhbD63kJEa
> C3AXVQsdPCivD7KDMaqC6CK8SzZzXplFsP/EoYsc1JFZcBFll+S+Ila310tsRO8i
> xXouUqBPurPeJs65bYt9Y3ZcrS/3zIImYkpZ8Qy1cyD0PG4x63CfHpZ22iyk/RAW
> nYuDXsiujlLJnS9qNtO/ZKjBIX/GAhPQTtbsxncP7M3+I0UXPrmE+GaLuAzrsyoW
> fokShglZ/MOkMreS8L/m4BVvDwh5AgMBAAGjggKJMIIChTAfBgNVHSMEGDAWgBRk
> 22dbs5UXUoSJtO9nILAIiXwHcTAOBgNVHQ8BAf8EBAMCBeAwWQYDVR0gBFIwUDBO
> BgZgTAECAw0wRDBCBggrBgEFBQcCARY2aHR0cDovL3JlcG9zaXRvcmlvLnNlcnBy
> by5nb3YuYnIvZG9jcy9kcGNzZXJwcm9hY2YucGRmMIHRBgNVHR8EgckwgcYwPKA6
> oDiGNmh0dHA6Ly9yZXBvc2l0b3Jpby5zZXJwcm8uZ292LmJyL2xjci9hY3NlcnBy
> b2FjZnY0LmNybDA+oDygOoY4aHR0cDovL2NlcnRpZmljYWRvczIuc2VycHJvLmdv
> di5ici9sY3IvYWNzZXJwcm9hY2Z2NC5jcmwwRqBEoEKGQGh0dHA6Ly9yZXBvc2l0
> b3Jpby5pY3BicmFzaWwuZ292LmJyL2xjci9zZXJwcm8vYWNzZXJwcm9hY2Z2NC5j
> cmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpodHRwOi8vcmVwb3NpdG9y
> aW8uc2VycHJvLmdvdi5ici9jYWRlaWFzL2Fjc2VycHJvYWNmdjQucDdiMIGrBgNV
> HREEgaMwgaCgPQYFYEwBAwGgNAQyMjUwMzE5NzAyMzE5OTE1NjMwNDE4MDAwMjY5
> OTkxMDAwMDAxMDE4NjgyOTg1U1NQTUGgFwYFYEwBAwagDgQMMDAwMDAwMDAwMDAw
> oCgGBWBMAQMFoB8EHTAyOTk5ODA4MDc1MjA4ODAxNzBTQU8gTFVJU01BgRxlbW1h
> bnVlbC5mZXJyb0BzZXJwcm8uZ292LmJyMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr
> BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAfkATOsGd4grAh8vruyJK38tVVPvU
> NDQu8yoqutJYkWI8NWrlQIdcKLLmrgQpVK10ri8z4geLRjmuSdb9FNOhKgwvOMz3
> 5R+oVlfxuFFuI++03MM+Q3CmxF6ifgeGxVqi9TB97Unw3PusdPqiiPph7qG+Zhtr
> pbcgBJ8EmioT4W8r8Idfh0PcTGPywpTGZKGxT6vA0/ztCcJWo/wrAXu8ilXuarUv
> mUCXegk95+Ca3Z5tAuvNGtnWjUjdVz19gyTa4H2cM8pkT98R4l8PgXXu3qVd4SAn
> a/LwlH6VjzUgWTv9rUTkIozJaMKx/v0vS7EUZR4Gsenq8r/L5XEKUlnk8keN62eU
> 7an8oUofAUNhS50qbMmcf1nB4euTd4X3dVW8urAdXoR10xUj0ADxPZ7P+O15kzg8
> zkJU0UvGj57prna8u2bHMOqmaAX88zzBrflgu63EdBk3lD4lN1h0nylSGIMsXOQ/
> l516VKforHnUwwgPs43NFP/6j7gvUOn3wKT4UsDgUBJ0pUFvX14Pnk229kI+G1lD
> IzeFZbS4er6AZpXMJx3I1gLOCfB8MLF/3/+ofp+y5/Ptflyk8HgHueBEOuZKiKxC
> /sH+x3P5Kr/iGqBGnbsHw4ukO3oNJUOY62OQJynRWZuhs54rnTlzzUlgRtWsBQtX
> 9GY+ttfIpZgFnpc=
> -----END CERTIFICATE-----
>
> DEBUG:mapper_mgr.c:213: unloading mapper module list
> DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
> DEBUG:mapper_mgr.c:145: unloading module ldap
> DEBUG:pkcs11_lib.c:1443: logout user
> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
> DEBUG:pkcs11_inspect.c:161: releasing pkcs #11 module...
> DEBUG:pkcs11_inspect.c:164: Process completed
>
> --------------------------------------------------------------------------
> ~$ pkcs11_listcerts
> DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
> DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
> DEBUG:pkcs11_lib.c:1009: getting function list
> DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
> DEBUG:pkcs11_lib.c:1106: module information:
> DEBUG:pkcs11_lib.c:1107: - version: 2.10
> DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
> DEBUG:pkcs11_lib.c:1109: - flags: 0000
> DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module
> DEBUG:pkcs11_lib.c:1111: - library version: 1.0
> DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
> DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
> DEBUG:pkcs11_lib.c:1037: slot 1:
> DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0
> DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
> DEBUG:pkcs11_lib.c:1049: - flags: 0007
> DEBUG:pkcs11_lib.c:1051: - token:
> DEBUG:pkcs11_lib.c:1057: - label: eferro
> DEBUG:pkcs11_lib.c:1058: - manufacturer: Watchdata Corp.
> DEBUG:pkcs11_lib.c:1059: - model: TimeCos/PK
> DEBUG:pkcs11_lib.c:1060: - serial: WDS01108186o8R7Y
> DEBUG:pkcs11_lib.c:1061: - flags: 060d
> DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
> PIN for token:
> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1579: - type: 00
> DEBUG:pkcs11_lib.c:1580: - id: 28
> DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
> Found '1' certificate(s)
> Certificate #1:
> - Subject: /C=BR/O=ICP-Brasil/OU=Pessoa Fisica A3/OU=ARcompany/OU=Autoridade Certificadora companyACF/CN=EMMANUEL FERRO
> - Issuer: /C=BR/O=ICP-Brasil/OU=CSPB-1/OU=Servico Federal de Processamento de Dados - company/CN=Autoridade Certificadora do company Final v4
> - Algorithm: rsaEncryption
> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:450: certificate is valid
> DEBUG:cert_vfy.c:207: crl policy: 0
> DEBUG:cert_vfy.c:210: no revocation-check performed
> DEBUG:cert_vfy.c:464: certificate has not been revoked
> DEBUG:pkcs11_lib.c:1443: logout user
> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
> DEBUG:pkcs11_listcerts.c:157: releasing pkcs #11 module...
> DEBUG:pkcs11_listcerts.c:160: Process completed
>
> --------------------------------------------------------------------------
> :~$ sudo login 22222222222
> Smartcard authentication starts
> DEBUG:pam_pkcs11.c:308: username = [22222222222]
> DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
> DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so]
> DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755
> DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so
> DEBUG:pkcs11_lib.c:1009: getting function list
> DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
> DEBUG:pkcs11_lib.c:1106: module information:
> DEBUG:pkcs11_lib.c:1107: - version: 2.10
> DEBUG:pkcs11_lib.c:1108: - manufacturer: WatchData
> DEBUG:pkcs11_lib.c:1109: - flags: 0000
> DEBUG:pkcs11_lib.c:1110: - library description: PKCS#11 cryptoki module
> DEBUG:pkcs11_lib.c:1111: - library version: 1.0
> DEBUG:pkcs11_lib.c:1118: number of slots (a): 1
> DEBUG:pkcs11_lib.c:1141: number of slots (b): 1
> DEBUG:pkcs11_lib.c:1037: slot 1:
> DEBUG:pkcs11_lib.c:1047: - description: WatchData IC CARD Reader/Writer 0
> DEBUG:pkcs11_lib.c:1048: - manufacturer: Watchdata Technologies Pte.Ltd
> DEBUG:pkcs11_lib.c:1049: - flags: 0007
> DEBUG:pkcs11_lib.c:1051: - token:
> DEBUG:pkcs11_lib.c:1057: - label: eferro
> DEBUG:pkcs11_lib.c:1058: - manufacturer: Watchdata Corp.
> DEBUG:pkcs11_lib.c:1059: - model: TimeCos/PK
> DEBUG:pkcs11_lib.c:1060: - serial: WDS01108186o8R7Y
> DEBUG:pkcs11_lib.c:1061: - flags: 060d
> Token found.
> DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 1
> Welcome eferro!
> Token PIN:
> DEBUG:pkcs11_lib.c:1383: login as user CKU_USER
> DEBUG:pkcs11_lib.c:1577: Saving Certificate #1:
> DEBUG:pkcs11_lib.c:1579: - type: 00
> DEBUG:pkcs11_lib.c:1580: - id: 28
> DEBUG:pkcs11_lib.c:1612: Found 1 certificates in token
> DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
> DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
> DEBUG:ldap_mapper.c:847: test ssltls = tls
> DEBUG:ldap_mapper.c:849: LDAP mapper started.
> DEBUG:ldap_mapper.c:850: debug = 1
> DEBUG:ldap_mapper.c:851: ignorecase = 0
> DEBUG:ldap_mapper.c:852: ldaphost = my-ldap-addr
> DEBUG:ldap_mapper.c:853: ldapport = 389
> DEBUG:ldap_mapper.c:854: ldapURI = my-ldap-addr my-ldap-addr2
> DEBUG:ldap_mapper.c:855: scope = 2
> DEBUG:ldap_mapper.c:856: binddn = uid=estacao,ou=servicos,ou=corp,dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:857: passwd = mypass
> DEBUG:ldap_mapper.c:858: base = dc=company,dc=gov,dc=br
> DEBUG:ldap_mapper.c:859: attribute = userCertificate
> DEBUG:ldap_mapper.c:860: filter = (&(objectClass=posixAccount)(uid=%s))
> DEBUG:ldap_mapper.c:861: searchtimeout = 20
> DEBUG:ldap_mapper.c:862: ssl_on = 2
> DEBUG:ldap_mapper.c:864: tls_randfile =
> DEBUG:ldap_mapper.c:865: tls_cacertfile= /etc/ssl/certs/389-ca.crt
> DEBUG:ldap_mapper.c:866: tls_cacertdir =
> DEBUG:ldap_mapper.c:867: tls_checkpeer = 0
> DEBUG:ldap_mapper.c:868: tls_ciphers =
> DEBUG:ldap_mapper.c:869: tls_cert =
> DEBUG:ldap_mapper.c:870: tls_key =
> DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
> DEBUG:pam_pkcs11.c:551: verifying the certificate #1
> verifying certificate
> DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store
> DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks
> DEBUG:cert_vfy.c:450: certificate is valid
> DEBUG:cert_vfy.c:207: crl policy: 0
> DEBUG:cert_vfy.c:210: no revocation-check performed
> DEBUG:cert_vfy.c:464: certificate has not been revoked
> DEBUG:ldap_mapper.c:618: ldap_get_certificate(): begin login = 22222222222
> DEBUG:ldap_mapper.c:623: ldap_get_certificate(): filter_str = (&(objectClass=posixAccount)(uid=22222222222))
> DEBUG:ldap_mapper.c:581: added URI my-ldap-addr
> DEBUG:ldap_mapper.c:581: added URI my-ldap-addr2
> DEBUG:ldap_mapper.c:581: added URI ldap://my-ldap-addr:389
> DEBUG:ldap_mapper.c:682: ldap_get_certificate(): try do_open for my-ldap-addr
> DEBUG:ldap_mapper.c:144: do_init():
> DEBUG:ldap_mapper.c:393: do_open(): do_init failed
> DEBUG:ldap_mapper.c:696: ldap_get_certificate(): do_open failed
> DEBUG:ldap_mapper.c:892: ldap_get_certificate() failed
> DEBUG:mapper_mgr.c:306: Mapper module ldap match() returns 0
> DEBUG:pam_pkcs11.c:634: certificate is valid but does not match the user
> ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
> Error 2336: No matching certificate found
> DEBUG:mapper_mgr.c:213: unloading mapper module list
> DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
> DEBUG:mapper_mgr.c:145: unloading module ldap
> DEBUG:pkcs11_lib.c:1443: logout user
> DEBUG:pkcs11_lib.c:1450: closing the PKCS #11 session
> DEBUG:pkcs11_lib.c:1456: releasing keys and certificates
>
> Login incorrect
> Smartcard authentication starts
> DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
> Please insert your Token or enter your username.
>
> --------------------------------------------------------------------------
> :~$ sudo vim /etc/pam_pkcs11/pam_pkcs11.conf
> --------------------------------------------------------------------------
> pam_pkcs11 {
> # Allow empty passwords
> nullok = true;
>
> # Enable debugging support.
> debug = true; ##false;
>
> # Do not prompt the user for the passwords but take them from the
> # PAM_ items instead.
> use_first_pass = false;
>
> # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
> # is unset.
> try_first_pass = false;
>
> # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
> # previously set (intended for stacking password modules only).
> use_authtok = true; ##false;
>
> # Filename of the PKCS #11 module. The default value is "default"
> use_pkcs11_module = wdtoken;
>
> [...]
>
> # WatchData
> pkcs11_module wdtoken {
> module = "/usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so";
> description = "Watchdata token";
> slot_num = 0;
> support_threads = true;
> ca_dir = "/etc/pam_pkcs11/cacerts";
> cert_policy = ca, signature;
> token_type = Token;
> }
>
> [...]
>
> use_mappers = ldap;
>
> [...]
>
> mapper ldap {
> debug = true;
> module = "/lib/pam_pkcs11/ldap_mapper.so";
> ldaphost = "my.ldap.addr";
> ldapport = 389;
> URI = "my.ldap.addr my.ldap.addr2";
> scope = 2;
> binddn = "uid=workstation,ou=serv,ou=corp,dc=company,dc=gov,dc=br";
> passwd = "mypass";
> base = "dc=company,dc=gov,dc=br";
> attribute = userCertificate;
> filter = "(&(objectClass=posixAccount)(uid=%s))";
> ssl = tls;
> tls_cacertfile = "/etc/ssl/certs/389-ca.crt";
> tls_checkpeer = 0;
> }
> }
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter
> informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza,
> reenviá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain
> confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it
> back, elucidating the failure."
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Douglas E. Engert <DEE...@gm...>
|
