[Freeipa-users] user certificate ldap EXTERNAL authentication

Rob Crittenden rcritten at redhat.com
Fri Mar 4 14:43:57 UTC 2016 

Natxo Asenjo wrote:
> hi,
> 
> 
> On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> 
>     Natxo Asenjo wrote:
> 
>  
> 
>     > Using EXTERNAL, no cookie:
>     > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
>     > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
>     > SASL/EXTERNAL authentication started
>     > ldap_sasl_interactive_bind_s: Invalid credentials (49)
>     >     additional info: client certificate mapping failed
>     >
>     > I came accross this page in the 389 wiki:
>     >
>     >
>     http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
>     >
>     > But I am not really sure how to accomplish this.
>     >
>     > Is this possible in freeipa?
> 
>     I don't see why not. You just need to be able to map the subject of the
>     cert to a single entry. That's what certmap.conf attempts to do.
>      
> 
> 
> ok, I got it working  but it took some effort.
> 
> Let's see, in certmap.conf the config is like this out of the box:
> 
> certmap default         default
> #default:DNComps
> #default:FilterComps    e, uid
> #default:verifycert     on
> #default:CmapLdapAttr   certSubjectDN
> #default:library        <path_to_shared_lib_or_dll>
> #default:InitFn         <Init function's name>
> default:DNComps
> default:FilterComps     uid
> certmap ipaca           CN=Certificate Authority,O=SUB.DOMAIN.TLD
> ipaca:CmapLdapAttr      seeAlso
> ipaca:verifycert        on
>  
> So, there is an additional mapping for ipaca, which is handy. But the
> CmapLdapAttr points to 'seeAlso', and if you change that to
> usercertificate;binary (where the usercertificates are), the tomcat pki
> service will no longer start because
> 
> DN: uid=pkidbuser,ou=people,o=ipaca
> 
> has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD
> 
> so we cannot change te cmapldapattr to something else, but we can add a
> seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD
> . And then it works.

Ah right. Because all the subjects are the same base the same map will
be used for both DS and the CA.

Any chance you could write up a HOWTO on this?

rob

More information about the Freeipa-users mailing list