I haven't read the link but maybe there is some confusion about TLS binding here. You do the create_rsa_user and that only set's up the certificates.
> On 4 Jun 2019, at 17:51, Anuj Borah <[email protected]> wrote: > > @William Brown > > Thanks , I am doing the same . Trying to follow it . (i have make this script > 99% pass) > > But its way too old . It uses some like : > > standalone.nss_ssl.create_rsa_user('testuser') ---- not valid > (NssSsl(standalone).create_rsa_user('testuser')) > > standalone.nss_ssl.get_rsa_user('testuser') ------ not valid > (NssSsl(standalone).get_rsa_user('testuser')) IIRC this syntax is valid, but maybe the linking type was removed. > > standalone.openConnection --- I dont know what is it . May be bind. Yes, i think this is bind now. If you grep for create_rsa_user in the tests you may find another example. > > And Most importantly, after i have make this script 99% pass . I am not able > to see the usercertificate field in the test user that was created during the > test . while i do _unsafe_raw_entry() Because you don't need it. The certificate's cn is mapped to the cn in the directory, and then because the certificate was issued be the ca, it "confirms" the users identity. No userCertificate attribute required. There is a configuration that DOES require the certificate to not only be signed, but also in userCertificate for binary matching, but this is a configuration option, not the default. I seem to recall helping document all this with Marc, so it should be in the latest RHDS documentation. Generally though, the userCertificate attribute today would be used to allow a client like SSSD to read the userCertificate to allow smartCard authentication to a workstation. Does that help a bit? > > Also mind changing the lib389 doc > https://spichugi.fedorapeople.org/html/guidelines.html#setting-up-ssl-tls . > Its the same test case given there , which is not relevant now . > > Regards > Anuj Borah > > > > > > > > On Tue, Jun 4, 2019 at 9:08 PM William Brown <[email protected]> wrote: > I'm currently traveling at the moment, but I can have a look later to update > this to work on latest lib389 etc. > > You can read it and use it as an example though, even if it doesn't pass ... > > > > > > On 4 Jun 2019, at 16:32, Anuj Borah <[email protected]> wrote: > > > > @William Brown > > > > This test script does not pass . Its too old . > > > > Regards > > Anuj Borah > > > > On Tue, Jun 4, 2019 at 8:00 PM William Brown <[email protected]> wrote: > > Have a look at this test case if you want to do usercertificate generation > > and authentication :) > > > > https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/tests/tls_external_test.py > > > > > On 4 Jun 2019, at 14:31, Anuj Borah <[email protected]> wrote: > > > > > > Hi all, > > > > > > Let say i want to create a user with userCertificate fileld. My user will > > > look like bellow. > > > > > > users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX) > > > users_people.create(properties={ > > > 'uid': 'certUser2', > > > 'cn': 'CUser2', > > > 'sn': 'CertificateUser2', > > > 'givenName': 'CU2', > > > 'description': "This is certUser2's description", > > > 'mail': '[email protected]', > > > 'userPassword': PW_DM, > > > 'userCertificate': 'some_cert_+++NUhz+Rigq7xT5g0Jqo1gXq1jJFdCw==', > > > 'manager': f'uid=certUser2,ou=People,{DEFAULT_SUFFIX}', > > > 'homeDirectory': '/home/' + 'certUser2', > > > 'uidNumber': '1000', > > > 'gidNumber': '2000' > > > }) > > > > > > Here i have put userCertificate field manually (which i dont want to do). > > > But how can i achieve this without putting userCertificate field manually > > > . Like create a user and userCertificate field will be auto field with > > > auto generated certificates . > > > > > > Regards > > > Anuj Borah > > > _______________________________________________ > > > 389-devel mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/[email protected] > > > > — > > Sincerely, > > > > William Brown > > > > Senior Software Engineer, 389 Directory Server > > SUSE Labs > > _______________________________________________ > > 389-devel mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/[email protected] > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
