Hi Rob, The CSR is generated within the web UI by following this section "Web UI: Requesting new certificates" ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificates )
I am looking to perform an authenticated ldapsearch using certificate-based authentication so I don't have to pass username and password onto the command line when searching against cn=groups,cn=accounts. Looks like only authenticated ldapsearch will yield memberOf info (usernames that belong to the group), but an anonymous ldapsearch will only yield group container info without memberOf UIDs. This document ( https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_configuring-certificate-based-authentication_securing-rhds ) says we need to have .ldaprc which include user's private key, therefore my original question. LDAPTLS_CACERT=/home/user_name/CA.crt LDAPTLS_KEY=/home/user_name/user.key LDAPTLS_CERT=/home/user_name/user.der Will my certificate-based ldapsearch work without user.key defined? so far I haven't been able to perform the ldapsearch because I am getting: ldap_start_tls: Can't contact LDAP server (-1) additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Any pointers will be greatly appreciated! --Tony On Tue, Oct 17, 2023 at 4:58 AM Rob Crittenden <[email protected]> wrote: > HUANG, TONY via FreeIPA-users wrote: > > Hi, > > > > I am trying to achieve user authentication against IdM using user's > > certificate. User certificate is requested to the built-in CA within IdM > > and signed by it. > > > > I am able to download the user's public cert via the web UI, but how can > > I download the private key so I can define it in user's .ldaprc file? > > IPA never has access to a user's private key. A key is generated by a > user (e.g. openssl genrsa) and a CSR (Certificate Signing Request) using > that (openssl req). So the user should already possess the private key. > > This is assuming the user used openssl to generate the key. With NSS the > private key would in whatever database was used to create the CSR. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
