[Freeipa-users] user certificate ldap EXTERNAL authentication
Rob Crittenden
rcritten at redhat.com
Fri Mar 4 14:43:57 UTC 2016
Natxo Asenjo wrote:
> hi,
>
>
> On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
>
>
>
> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > additional info: client certificate mapping failed
> >
> > I came accross this page in the 389 wiki:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
> >
> > But I am not really sure how to accomplish this.
> >
> > Is this possible in freeipa?
>
> I don't see why not. You just need to be able to map the subject of the
> cert to a single entry. That's what certmap.conf attempts to do.
>
>
>
> ok, I got it working but it took some effort.
>
> Let's see, in certmap.conf the config is like this out of the box:
>
> certmap default default
> #default:DNComps
> #default:FilterComps e, uid
> #default:verifycert on
> #default:CmapLdapAttr certSubjectDN
> #default:library <path_to_shared_lib_or_dll>
> #default:InitFn <Init function's name>
> default:DNComps
> default:FilterComps uid
> certmap ipaca CN=Certificate Authority,O=SUB.DOMAIN.TLD
> ipaca:CmapLdapAttr seeAlso
> ipaca:verifycert on
>
> So, there is an additional mapping for ipaca, which is handy. But the
> CmapLdapAttr points to 'seeAlso', and if you change that to
> usercertificate;binary (where the usercertificates are), the tomcat pki
> service will no longer start because
>
> DN: uid=pkidbuser,ou=people,o=ipaca
>
> has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD
>
> so we cannot change te cmapldapattr to something else, but we can add a
> seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD
> . And then it works.
Ah right. Because all the subjects are the same base the same map will
be used for both DS and the CA.
Any chance you could write up a HOWTO on this?
rob
More information about the Freeipa-users
mailing list