Public keys, CA certificates, and CRLs required for S/MIME may be stored in an LDAP directory (see previous section). The keys, certificates, and CRLs may be accessible from a single URL or multiple URLs in LDAP. For example, CRLs may be stored in one URL and public keys and certificates may be stored in another. Messaging Server allows you to specify which URL contains the desired CRL or certificate information, as well as the DN and password of the entry that has access to these URLs. These DN/password credentials are optional; if none are specified, LDAP access first tries the HTTP server credentials, and if that fails, it tries accessing it as anonymous.
Two pairs of smime.conf credential parameters may be set to access the desired URLs: logindn and loginpw, and crlurllogindn and crlurlloginpw.
logindn and loginpw are the credentials used for all URLs in smime.conf. They specify the DN and password of the LDAP entry that has read permission for the public keys, their certificates, and the CA certificates as specified by the certurl and trustedurl parameters.
crlurllogindn and crlurlloginpw specifies the DN and password of the LDAP entry that has read permission for the resulting URL from the mapping table (see Accessing a CRL for more information). If these credentials are NOT accepted, LDAP access is denied and no retry with other credentials is attempted. Either both parameters must be specified, or both must be empty. These parameters do not apply to the URLs that come directly from the certificate.
Messaging Server allows you to specifically define the DN/password pairs for accessing the following smime.conf URLs: certUrl, trustedUrl, crlmappingUrl, sslrootcacertsUrl.
The syntax is as follows:
url_type URL[|URL_DN | URL_password]
Example:
trustedurl==ldap://mail.siroe.com:389/cn=Directory Manager, ou=people, o=siroe.com,o=ugroot?cacertificate?sub?(objectclass=certificationauthority) | cn=Directory manager | boomshakalaka |
This section summarizes the use of LDAP credentials.
All LDAP credentials are optional; if none are specified, LDAP access first tries the HTTP server credentials, and if that fails, tries anonymous.
Two pairs of smime.conf parameters are used as credentials for the two sets of URLs that may be specified:
logindn & loginpw - all URLs in smime.conf
crlurllogindn & crlurlloginpw - all URLs from mapping table
These are known as the default LDAP credential pair.
Any URL specified in smime.conf or via mapping CRL URLs can have an optional local LDAP credential pair specified.
Credentials are checked in order in which each is specified:
1) Local LDAP credential pair - if specified, only one tried
2) Default LDAP Credential Pair - if specified, and no Local LDAP credential pair, only one tried
3) Server - if neither Local LDAP credential pair nor default LDAP credential pair specified, first tried
4) anonymous - last tried only if server fails or none specified
If a URL has a Local LDAP credential pair specified, it is used first; if the access fails, access is denied.
If a URL has no Local LDAP credential pair specified, the corresponding default LDAP credential pair is used; if access fails, then access is denied.