[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping
flo-renaud
freeipa-github-notification at redhat.com
Wed Feb 22 20:37:18 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping
flo-renaud commented:
"""
Hi @sumit-bose ,
I am not able to reproduce this issue:
`[root at vm-161 ~]# kinit -k
[root at vm-161 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_h6XRpeK
Default principal: host/vm-161.example.com at DOM-161.EXAMPLE.COM
Valid starting Expires Service principal
02/22/2017 21:30:10 02/23/2017 21:30:10 krbtgt/DOM-161.EXAMPLE.COM at DOM-161.EXAMPLE.COM
[root at vm-161 ~]# ldapsearch -H ldap://vm-161 '(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI -LLL
SASL/GSSAPI authentication started
SASL username: host/vm-161.example.com at DOM-161.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: cn=rule1,cn=certmaprules,cn=certmap,dc=dom-161,dc=example,dc=com
objectClass: ipacertmaprule
objectClass: top
cn: rule1
description: d1
ipaEnabledFlag: TRUE
`
Do you have the ACI "permission:System: Read Certmap Rules" defined on dn: cn=certmaprules,cn=certmap,$BASEDN? It should grant access to ldap:///all
"""
See the full comment at https://github.com/freeipa/freeipa/pull/398#issuecomment-281795345
More information about the Freeipa-devel
mailing list