URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

flo-renaud commented:
"""
Hi @sumit-bose ,
I am not able to reproduce this issue:
`[root@vm-161 ~]# kinit -k
[root@vm-161 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_h6XRpeK
Default principal: host/vm-161.example....@dom-161.example.com

Valid starting       Expires              Service principal
02/22/2017 21:30:10  02/23/2017 21:30:10  
krbtgt/dom-161.example....@dom-161.example.com
[root@vm-161 ~]# ldapsearch -H ldap://vm-161 
'(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))' -Y GSSAPI -LLL
SASL/GSSAPI authentication started
SASL username: host/vm-161.example....@dom-161.example.com
SASL SSF: 56
SASL data security layer installed.
dn: cn=rule1,cn=certmaprules,cn=certmap,dc=dom-161,dc=example,dc=com
objectClass: ipacertmaprule
objectClass: top
cn: rule1
description: d1
ipaEnabledFlag: TRUE
`
Do you have the ACI "permission:System: Read Certmap Rules" defined on dn: 
cn=certmaprules,cn=certmap,$BASEDN? It should grant access to ldap:///all
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-281795345
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to