[Freeipa-users] user certificate ldap EXTERNAL authentication
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Mar 3 21:20:06 UTC 2016
hi,
I am testing certificate authentication to ipa ldap ( centos 7.2 ).
I have generated a user certificate following the instructions on
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
After that I modified my $HOME/.ldaprc with these settings:
TLS_CERT /path/to/user10.pem
TLS_KEY /path/to/user10.key
The certificate has this subject:
$ openssl x509 -in user10.pem -subject -noout
subject= /O=SUB.DOMAIN.TLD/CN=user10
Then I try ldapsearch:
using GSSAPI, ldapsearch works fine:
ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s sub
-b dc=sub,dc=domain,dc=tld cn
....
# search result
search: 5
result: 0 Success
# numResponses: 1002
# numEntries: 1001
Using EXTERNAL, no cookie:
$ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL objectclass=person
-s sub -b dc=sub,dc=domain,dc=tld cn
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: client certificate mapping failed
I came accross this page in the 389 wiki:
http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
But I am not really sure how to accomplish this.
Is this possible in freeipa?
Thanks in advance.
Regards,
Natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160303/e3029242/attachment.htm>
More information about the Freeipa-users
mailing list