[Freeipa-users] user certificate ldap EXTERNAL authentication
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Mar 4 13:11:49 UTC 2016
hi,
On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Natxo Asenjo wrote:
>
> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > additional info: client certificate mapping failed
> >
> > I came accross this page in the 389 wiki:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
> >
> > But I am not really sure how to accomplish this.
> >
> > Is this possible in freeipa?
>
> I don't see why not. You just need to be able to map the subject of the
> cert to a single entry. That's what certmap.conf attempts to do.
>
>
ok, I got it working but it took some effort.
Let's see, in certmap.conf the config is like this out of the box:
certmap default default
#default:DNComps
#default:FilterComps e, uid
#default:verifycert on
#default:CmapLdapAttr certSubjectDN
#default:library <path_to_shared_lib_or_dll>
#default:InitFn <Init function's name>
default:DNComps
default:FilterComps uid
certmap ipaca CN=Certificate Authority,O=SUB.DOMAIN.TLD
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on
So, there is an additional mapping for ipaca, which is handy. But the
CmapLdapAttr points to 'seeAlso', and if you change that to
usercertificate;binary (where the usercertificates are), the tomcat pki
service will no longer start because
DN: uid=pkidbuser,ou=people,o=ipaca
has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD
so we cannot change te cmapldapattr to something else, but we can add a
seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD .
And then it works.
This could be very handy for web applications.
Nice. Thanks for the pointer.
Regards,
Natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160304/c5d085ce/attachment.htm>
More information about the Freeipa-users
mailing list