[Pki-devel] [pki-devel][PATCH] 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch

[John Magne]

[PATCH] Authentication Instance Id PinDirEnrollment with authType
 value as SslclientAuth is not working.

Ticket #1578

The fixing of this problem required the following:

1. Hook up a java callback that is designed to allow the selection of a candidate
client auth cert to be sent to Ldap in the LdapSSLSocket factory object.

Previously we simply manually set the desired client auth cert nickname, which is provided
by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method.

Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being
requested by the server. We get to see the list of candidate certs and when we match one of those with the requested
cert name, established by the console.

This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from
an external authentication directory.

2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket
to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two
steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level.

3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also
make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0080-Authentication-Instance-Id-PinDirEnrollment-with-aut.patch
Type: text/x-patch
Size: 6142 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160816/997d3d25/attachment.bin>