PortalEnroll Plug-in Module
Chapter
1
Authentication Plug-in Modules
43
assume you have an extranet deployed for your partners. You have no prior
knowledge of people who will register as your partners, but you want them to
register and you want to trust the information they provide during
registration. By issuing them a certificate with a short validity period you can
limit them from using your service for that period. In the meantime, you can
verify their registration data and decide whether to allow them to continue
using your service; if you want them to be your partners, you allow them to
renew their certificates before they expire; if you don’t want them as your
partners, you reject their certificate renewal requests.
Note that Certificate Management System can send automated renewal
notifications to users before their certificates expire; see
“RenewalNotificationJob Plug-in Module” on page 65.
Functionally, the portal authentication module is very similar to the
directory-based authentication module (see “UidPwdDirAuth Plug-in Module” on
page 22) except that instead of binding to the directory as the enrolling user,
Certificate Management System binds as some directory account with permission
to create and update user entries. The server then queries the directory for the user
name specified by the user and if it doesn’t find a match, it adds the entry with all
the standard LDAP field names that match the directory attributes.
For example, if the HTTP form input contains data such as surname, common
name, and phone number, the corresponding LDAP attributes would be set in the
directory; for details, see “Enrollment Forms” on page 53. The server also uses a
combination of these attributes (which you can specify using the
dnpattern
parameter defined in the module) to construct subject names for certificates.
Note that the portal authentication module by default uses the standard LDAP
object class named
inetOrgPerson
to create and update user entries. The input
fields defined in the default portal enrollment form correspond to the attributes
defined in this object class as defined in Netscape Directory Server 4.x. The module
is capable of reading and writing these attributes only. However, you can
customize the module to accommodate all the fields supported by popular portals
by extending the directory schema to include a new object class; you’ll also be
required to update the enrollment form to include attributes corresponding to the
new object class. For guidelines on how to customize the module, check the sample
located here:
<server_root>/cms_sdk/cms_jdk/samples/authentication
Figure 1-8 illustrates how the portal authentication module works during
certificate enrollment.
Summary of Contents for Certificate Management System 6.01
Page 1: ...Plug Ins Guide Netscape Certificate Management System Version6 01 May 2002...
Page 10: ...10 Netscape Certificate Management System Plug Ins Guide May 2002...
Page 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide May 2002...
Page 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide May 2002...