[Freeipa-devel] Yet another user certificates/Smart Card thread

Martin Babinsky mbabinsk at redhat.com
Mon May 25 14:19:42 UTC 2015 

On 05/25/2015 03:56 PM, Martin Kosek wrote:
> On 05/25/2015 03:13 PM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a):
>>> Hello all, long post ahead!
>>>
>>> I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238,
>>> and while Martin's design page
>>> (http://www.freeipa.org/page/V4/User_Certificates) brings a
>>> comprehensive overview of what should be done, there are still some gray
>>> areas we should address both in the design page and the actual
>>> implementation.
>>>
>>> These are the things that were agreed upon in previous thread(s):
>>>
>>> 1.) If the whole user certificates are available, the should be stored
>>> directly in the user entry as an attribute of the following format:
>>>
>>>       "userCertificate;binary;$id",
>>>
>>> where "id" should be an unique identifier. IIRC we agreed that the
>>> first/last 4 bytes of cert's SHA512 hash should fill the 'id' role
>>> nicely. During user authentication the whole binary blob would be
>>> matched (pspacek pointed out that the cost of this operation is
>>> acceptable).
>>>
>>> 2.) In addition, or when the user certs are stored externally, we should
>>> store the certificate metadata in the user entry. These metadata should
>>> be represented by "userCertAttrs;$id;$attr" attributes, where $attr
>>> subtype corresponds to the type of metadata (issuer, serial no., profile
>>> id, certificate hash etc.). The authentication/lookup would require some
>>> custom matching rule to fetch the correct cert.
>>>
>>> Point 1. seems clear to me, we need to implement an index for
>>> userCertificate attribute in DS and modify 'user-add/mod' commands to
>>> allow for direct enrollment through API ("--usercertificate" option).
>>>
>>> Point 2. requires more work: we need to add a new attribute
>>> "userCertAttrs" to the schema and create DS index/custom matching rule
>>> for searching. I'm also not quite sure how to approach the task of
>>> getting these metadata from external storage and putting them to the
>>> user entry.
>>
>> Both points are obsolete. See the design page you linked for the current plan.
>
> Huh, where that came from Martin? Did you have some cached old version of the
> design page? I am just wondering what went wrong, as this is something I
> deleted from that page month ago.
>
I probably got confused during re-reading threads on 'ipa-samba-team-list'.

So the only thing we require (for now) is the ability to search and 
store full user certificates in the user entry? Did I get it right?

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list