[Freeipa-users] user certificate ldap EXTERNAL authentication
Rob Crittenden
rcritten at redhat.com
Sat Mar 5 05:00:04 UTC 2016
Natxo Asenjo wrote:
>
> By the way, revoking the certificate does not block applications using
> it from ldap.
>
> I can still access the ldap server using this cert/key pair *after*
> revoking the certificate using ipa cert-revoke <serialnr>. In order to
> block it I need to remove the seeAlso value of the user account, or the
> certificate attribute.
>
> I do not know if this is a security issue, but maybe worthwhile
> documenting just in case.
SSL/TLS servers don't automatically check for cert revocation. You need
to add the CRL to the 389-ds NSS database periodically. I don't know for
sure but I don't think 389-ds can use OCSP to validate incoming client
certs. There is an IPA ticket in the backlog to investigate this for the
web and ldap servers: https://fedorahosted.org/freeipa/ticket/3542
And yeah, as you discovered, managing the value of CmapLdapAttr is a
poor man's revocation.
rob
More information about the Freeipa-users
mailing list