Setting Up Portal Enrollment - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Automated Enrollment

Setting Up Portal Enrollment

Portal enrollment enables you to issue certificates and create directory entries for users who
do not yet have an entry in your directory. Portal enrollment involves registering users by
adding them to your directory while simultaneously issuing them a certificate. When a user
requests a certificate, the information they provide is used to add the user to the directory, if
an entry does not presently exist for that user, and to issue the user a certificate. Portal
enrollment is useful when you have a portal and want to register users and have them later
authenticate using a certificate. Since you register anyone who comes to the site, this
method does not provide any authentication of users when you enroll them, unless they
already have entries in the LDAP directory. It provides authentication, in the form of their
LDAP entries and certificates when they log into the site proving only that they are
registered users.
The
PortalEnroll
• Performs dual operations, registration and authentication, eliminating the need for
users to use separate forms to register for an online service and to request a certificate;
the module enables deployment of certificates along with registration in an
LDAP-compliant directory.
• Verifies the uniqueness of the new user's chosen user name against an
LDAP-compliant user directory and uses the user name as the only authentication
token required to obtain a certificate.
• Uses the information from the enrollment form to create new user entries and update
directory entry attributes for unique user names.
• Leverages an existing LDAP-compliant user directory, typically used for storing user
information.
Note that the portal authentication module by default uses the standard LDAP object class
named
default portal enrollment form correspond to the attributes defined in this object class as
defined in Red Hat Directory Server 4.x. The module is capable of reading and writing
these attributes only. However, you can customize the module to accommodate all the fields
supported by popular portals by extending the directory schema to include a new object
class; you'll also be required to update the enrollment form to include attributes
corresponding to the new object class.
To set up portal enrollment you do the following:
382 Red Hat Certificate System Administrator's Guide • September 2005
module does the following:
to create and update user entries. The input fields defined in the
inetOrgPerson