Puavo

Authenticating web services against Puavo's LDAP

LDAP server hosted by Opinsys is available on a public IP, but it requires source IP to be whitelisted before connections are allowed. The hostname and IP are:

Hostname Public IP
extldap1.opinsys.fi 217.112.254.7 (IP can be changed without prior notice, use only for troubleshooting)

The LDAP server supports only encrypted connections. CA root certificate is at the bottom of the page. The supported protocols and ports are:

Protocol Port
ldap+StartTLS 389
ldaps 636

Service accounts

A separate LDAP service account is needed for each service using LDAP authentication. The accounts are created in Puavo and require owner privileges. The LDAP DN format is:

uid=exampleapp,ou=System Accounts,dc=edu,dc=org,dc=fi

Services need to use this DN to search for user accounts as the usernames of the users are not available in the DNs. Service accounts can have different levels to access based on what is needed. Access is read-only.

The following access levels are available:

Authentication

  • eduPersonPrincipalName
  • uid

Posix users and group

Users

  • givenName
  • gidNumber
  • homeDirectory
  • eduPersonPrincipalName
  • puavoEduPersonAffiliation (student / teacher / guest / admin / other)
  • uid
  • sn
  • uidNumber
  • preferredLanguage

Groups

  • cn - posix name of the group
  • puavoSchool - DN of the school group where the group belongs to
  • displayName - human friendly name
  • gidNumber
  • member - member DNs
  • memberUid - member uids

LDAP structure

Subtree Example
Root dc=edu,dc=org,dc=fi
User information ou=People,dc=edu,dc=org,dc=fi
Groups information ou=Groups,dc=edu,dc=org,dc=fi

Authentication access gives access to the following attributes:

dn: puavoId=42225,ou=People,dc=edu,dc=org,dc=fi
puavoId: 42225
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: puavoEduPerson
objectClass: sambaSamAccount
objectClass: eduPerson
eduPersonPrincipalName: esimerkki.oppilas@ORG.OPINSYS.FI
uid: esimerkki.oppilas

Posix user and group information gives access to following attributes:

dn: puavoId=42225,ou=People,dc=edu,dc=org,dc=fi
puavoId: 42225
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: puavoEduPerson
objectClass: sambaSamAccount
objectClass: eduPerson
givenName: Esimerkki
gidNumber: 10192
homeDirectory: /home/esimerkki.oppilas
eduPersonPrincipalName: esimerkki.oppilas@ORG.OPINSYS.FI
puavoEduPersonAffiliation: student
uid: esimerkki.oppilas
sn: Oppilas
uidNumber: 55148
preferredLanguage: fi

Groups:

dn: puavoId=8204,ou=Groups,dc=edu,dc=org,dc=fi
puavoId: 8204
objectClass: top
objectClass: posixGroup
objectClass: puavoEduGroup
objectClass: sambaGroupMapping
cn: esimryhma
puavoSchool: puavoId=8202,ou=Groups,dc=edu,dc=org,dc=fi
displayName: Esimerkki
gidNumber: 10193
sambaGroupType: 2
sambaSID: S-1-5-21-139932918-31463239-12390432-8204
puavoUserRole: puavoId=8203,ou=Roles,dc=edu,dc=org,dc=fi
member: puavoId=42225,ou=People,dc=edu,dc=org,dc=fi
memberUid: esimerkki.oppilas

CA root certificate used by the LDAP server:

-----BEGIN CERTIFICATE-----
MIIFLDCCAxSgAwIBAgIJAOZVYFQn4mq6MA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNV
BAMTDWNhLm9waW5zeXMuZmkwHhcNMTAxMDAxMTE1NjU0WhcNMjUxMDAxMTE1NjU0
WjAYMRYwFAYDVQQDEw1jYS5vcGluc3lzLmZpMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAuJdoh5WRHgKf8LROI01OnYti3oUS4a+/+z2y4Nx9FlBYv7BU
E7Dp4B+B5oWmbtEHGoWialojea7QNLg5efvVmcILwE/i6UfozbW7h3Oa7Vuo/Bzi
DIl7tVEAuREBNbEJCddsgIZmEitaOHZqFnR+LDo7GhU8uiYONen+s7IH+MkqihsF
LtxMj0+Fvd+eWyrlgltI1zSLCJCdyR2iX2/DXDAOEVdDT/KwdAHG1oDhdh0eUFus
EM0/Fg9AqEMMnfxg7CjkkGwqHV12CLicz4OrwZMn4KNz9EFxPWpYl+Y1fCFFe7+0
HKH1nBfW/GzE+iiw3IAvb6c5OuLErbomI7uxvNWSro+4FDWe1FzFBkmOa7st8yQ7
xU2ljt8k6u0kzaGays+ydMD+IFR3RVn7pDDBVEzWnAXZw18UJv8GsWu+zi531jak
VEAhWNW2MdKHW5nLrJ8VeSSLHhYfur22TSoXkxrEBllZYwThtNiFlwh0KJ+5OK7+
psucHBemdVVQXaBeI5njSNxvYUeBzY6PVjC5FxxUfdEuRGcx0XwF7Zyiv/FSvvKa
koa081YvevEhhFSk6u7OkkTIb89EesxzsPBxQH2KtE7vFCHmoqlefk1qRDi8YAYn
y1sF9XhriiYL6A+5f28h09paYb2hm5R/fiZMQED/YwrN2vhPDQoG+/HIWNUCAwEA
AaN5MHcwHQYDVR0OBBYEFMTbXsxA+HnNJbe56uUgtoXs8CxHMEgGA1UdIwRBMD+A
FMTbXsxA+HnNJbe56uUgtoXs8CxHoRykGjAYMRYwFAYDVQQDEw1jYS5vcGluc3lz
LmZpggkA5lVgVCfiarowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAgEA
DyIN5KXbPOasr3wWthc+1XYe1OCmwrSA5QWfq0e1YAxRz/e8lhg977Sn6fmH9HTz
vA2Lb89F64T6HcC1xwl8nYuf0G/6xF2Svg1pCuqKX5cQDUZ/TL411IQHh8ZuEcjy
kLp6hNDjZcUd12ic+lapw9HtmFQiBOL/6H8Ahv488Za577dj+g+/EbLf793lBa5R
Z8H9oqMGfB2Q3z/I54oFJgZCKsKJuDwA0cdavBaXVbsbarENUA+T0v6aPaH2zrAv
u0SmXJsoXgV4/SCiPR9DhitR/lVoq64os6csz4Yut3iv50sUI1edzAe6YlZ0WeND
EBdf9CSchMWwdzFWFUIFx04eV48/gl+sz/wIqfZ6Ecs4nl1GqRMsfH6aaaVUoLEo
w+64Vw2TbxzgYg21kmjLh1oAC/yapQv/KvUZ4yiuCcoHDF8/RRV5R3NM9CZTEkYv
nIjQ+as//jTWfWVfG5VNFUdyDWu7ogqXOMxmGWJ/BwRMH+RkaUDMR/qZF6phUjDE
/qlApF6wvZ/KYOqimlM2Njyu6uwuDr7aJpON8EHjdyC43FRNPPM+sV9FS2Rvggqh
wtOh7apuv85A4lhf+kQNj46Z4w3x1ryrFisW24RDPSlbrA5bbTIAz0pss0wm0myY
HfCDXI2uVGHWnTxXilnmiqdmH0bMtd6pyYxaSET2FOQ=
-----END CERTIFICATE-----

openssl command can be used to extract the certificate information:

$ openssl x509 -in opinsys-ca.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e6:55:60:54:27:e2:6a:ba
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ca.opinsys.fi
        Validity
            Not Before: Oct  1 11:56:54 2010 GMT
            Not After : Oct  1 11:56:54 2025 GMT
        Subject: CN=ca.opinsys.fi
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:b8:97:68:87:95:91:1e:02:9f:f0:b4:4e:23:4d:
                    4e:9d:8b:62:de:85:12:e1:af:bf:fb:3d:b2:e0:dc:
                    7d:16:50:58:bf:b0:54:13:b0:e9:e0:1f:81:e6:85:
                    a6:6e:d1:07:1a:85:a2:6a:5a:23:79:ae:d0:34:b8:
                    39:79:fb:d5:99:c2:0b:c0:4f:e2:e9:47:e8:cd:b5:
                    bb:87:73:9a:ed:5b:a8:fc:1c:e2:0c:89:7b:b5:51:
                    00:b9:11:01:35:b1:09:09:d7:6c:80:86:66:12:2b:
                    5a:38:76:6a:16:74:7e:2c:3a:3b:1a:15:3c:ba:26:
                    0e:35:e9:fe:b3:b2:07:f8:c9:2a:8a:1b:05:2e:dc:
                    4c:8f:4f:85:bd:df:9e:5b:2a:e5:82:5b:48:d7:34:
                    8b:08:90:9d:c9:1d:a2:5f:6f:c3:5c:30:0e:11:57:
                    43:4f:f2:b0:74:01:c6:d6:80:e1:76:1d:1e:50:5b:
                    ac:10:cd:3f:16:0f:40:a8:43:0c:9d:fc:60:ec:28:
                    e4:90:6c:2a:1d:5d:76:08:b8:9c:cf:83:ab:c1:93:
                    27:e0:a3:73:f4:41:71:3d:6a:58:97:e6:35:7c:21:
                    45:7b:bf:b4:1c:a1:f5:9c:17:d6:fc:6c:c4:fa:28:
                    b0:dc:80:2f:6f:a7:39:3a:e2:c4:ad:ba:26:23:bb:
                    b1:bc:d5:92:ae:8f:b8:14:35:9e:d4:5c:c5:06:49:
                    8e:6b:bb:2d:f3:24:3b:c5:4d:a5:8e:df:24:ea:ed:
                    24:cd:a1:9a:ca:cf:b2:74:c0:fe:20:54:77:45:59:
                    fb:a4:30:c1:54:4c:d6:9c:05:d9:c3:5f:14:26:ff:
                    06:b1:6b:be:ce:2e:77:d6:36:a4:54:40:21:58:d5:
                    b6:31:d2:87:5b:99:cb:ac:9f:15:79:24:8b:1e:16:
                    1f:ba:bd:b6:4d:2a:17:93:1a:c4:06:59:59:63:04:
                    e1:b4:d8:85:97:08:74:28:9f:b9:38:ae:fe:a6:cb:
                    9c:1c:17:a6:75:55:50:5d:a0:5e:23:99:e3:48:dc:
                    6f:61:47:81:cd:8e:8f:56:30:b9:17:1c:54:7d:d1:
                    2e:44:67:31:d1:7c:05:ed:9c:a2:bf:f1:52:be:f2:
                    9a:92:86:b4:f3:56:2f:7a:f1:21:84:54:a4:ea:ee:
                    ce:92:44:c8:6f:cf:44:7a:cc:73:b0:f0:71:40:7d:
                    8a:b4:4e:ef:14:21:e6:a2:a9:5e:7e:4d:6a:44:38:
                    bc:60:06:27:cb:5b:05:f5:78:6b:8a:26:0b:e8:0f:
                    b9:7f:6f:21:d3:da:5a:61:bd:a1:9b:94:7f:7e:26:
                    4c:40:40:ff:63:0a:cd:da:f8:4f:0d:0a:06:fb:f1:
                    c8:58:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C4:DB:5E:CC:40:F8:79:CD:25:B7:B9:EA:E5:20:B6:85:EC:F0:2C:47
            X509v3 Authority Key Identifier:
                keyid:C4:DB:5E:CC:40:F8:79:CD:25:B7:B9:EA:E5:20:B6:85:EC:F0:2C:47
                DirName:/CN=ca.opinsys.fi
                serial:E6:55:60:54:27:E2:6A:BA

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        0f:22:0d:e4:a5:db:3c:e6:ac:af:7c:16:b6:17:3e:d5:76:1e:
        d4:e0:a6:c2:b4:80:e5:05:9f:ab:47:b5:60:0c:51:cf:f7:bc:
        96:18:3d:ef:b4:a7:e9:f9:87:f4:74:f3:bc:0d:8b:6f:cf:45:
        eb:84:fa:1d:c0:b5:c7:09:7c:9d:8b:9f:d0:6f:fa:c4:5d:92:
        be:0d:69:0a:ea:8a:5f:97:10:0d:46:7f:4c:be:35:d4:84:07:
        87:c6:6e:11:c8:f2:90:ba:7a:84:d0:e3:65:c5:1d:d7:68:9c:
        fa:56:a9:c3:d1:ed:98:54:22:04:e2:ff:e8:7f:00:86:fe:3c:
        f1:96:b9:ef:b7:63:fa:0f:bf:11:b2:df:ef:dd:e5:05:ae:51:
        67:c1:fd:a2:a3:06:7c:1d:90:df:3f:c8:e7:8a:05:26:06:42:
        2a:c2:89:b8:3c:00:d1:c7:5a:bc:16:97:55:bb:1b:6a:b1:0d:
        50:0f:93:d2:fe:9a:3d:a1:f6:ce:b0:2f:bb:44:a6:5c:9b:28:
        5e:05:78:fd:20:a2:3d:1f:43:86:2b:51:fe:55:68:ab:ae:28:
        b3:a7:2c:cf:86:2e:b7:78:af:e7:4b:14:23:57:9d:cc:07:ba:
        62:56:74:59:e3:43:10:17:5f:f4:24:9c:84:c5:b0:77:31:56:
        15:42:05:c7:4e:1e:57:8f:3f:82:5f:ac:cf:fc:08:a9:f6:7a:
        11:cb:38:9e:5d:46:a9:13:2c:7c:7e:9a:69:a5:54:a0:b1:28:
        c3:ee:b8:57:0d:93:6f:1c:e0:62:0d:b5:92:68:cb:87:5a:00:
        0b:fc:9a:a5:0b:ff:2a:f5:19:e3:28:ae:09:ca:07:0c:5f:3f:
        45:15:79:47:73:4c:f4:26:53:12:46:2f:9c:88:d0:f9:ab:3f:
        fe:34:d6:7d:65:5f:1b:95:4d:15:47:72:0d:6b:bb:a2:0a:97:
        38:cc:66:19:62:7f:07:04:4c:1f:e4:64:69:40:cc:47:fa:99:
        17:aa:61:52:30:c4:fe:a9:40:a4:5e:b0:bd:9f:ca:60:ea:a2:
        9a:53:36:36:3c:ae:ea:ec:2e:0e:be:da:26:93:8d:f0:41:e3:
        77:20:b8:dc:54:4d:3c:f3:3e:b1:5f:45:4b:64:6f:82:0a:a1:
        c2:d3:a1:ed:aa:6e:bf:ce:40:e2:58:5f:fa:44:0d:8f:8e:99:
        e3:0d:f1:d6:bc:ab:16:2b:16:db:84:43:3d:29:5b:ac:0e:5b:
        6d:32:00:cf:4a:6c:b3:4c:26:d2:6c:98:1d:f0:83:5c:8d:ae:
        54:61:d6:9d:3c:57:8a:59:e6:8a:a7:66:1f:46:cc:b5:de:a9:
        c9:8c:5a:48:44:f6:14:e4