Hello,
I'm trying to allow authentication using Yubikeys on clients without importing
user's certificates in idM.
I use an external PKI that signs everything, so I have the root CA and one sub
CA named piv that signs users' csr (that are stored in yubikeys).
On the server, the output of ipa-advise config-server-for-smart-card-auth is
executed and the output of ipa-advise config-client-for-smart-card-auth is also
executed on the client.
I added both the certificate mapping rule and the certificate mapping data
(Issuer and subject) according to red hat documentation.
Steps to Reproduce:
In an internet forbidden environment, using at least three VMs on RHEL9. One
for IPA, one as a workstation and one that will be the DHCP, DNS and NTP server.
Once the DNS and DHCP are configured, I generated a root CA and two sub CAs,
one for signing users csr (piv) and one for signing everything else (like ipa).
Once ipa is installed with an external ca, I executed the output of ipa-advise
config-server-for-smart-card-auth to load and configure ipa for smartcard.
Then I added the Certificate Identity Mapping Rule:
Mapping rule:
(ipacertmapdata=X509:<I\>{issuer\_dn!nss\_x500}<S>{subject_dn!nss_x500})
Matching rule: <ISSUER>CN=piv,C=FR
Once the client is registered in ipa, I executed the output of ipa-advise
config-client-for-smart-card-auth to load and configure the client for
smartcard.
Then, I registered a new user, with pkinit enable and I created a Certificate
mapping data for him with the good Subject and the same Issuer as the
Certificate Identity Mapping Rule.
Finally, I set up the yubikey for the corresponding user using the PKI and
signed his certificate with the piv CA.
Actual behavior:
If the user certificate is not present in ipa, I'm prompted to enter the PIN
CODE (the Yubikey is recognized and the user is automatically selected), but
then I have the error "Sorry, smart card authentication didn't work, please try
again".
On ipa server, if I use the command ipa certmap-match <user-certificate>, no
users are found. Furthermore, in sssd I can see that the server is trying to
find a user with the certificate stored on the yubikey instead of trying to
check if the certificate is valid and signed by the piv sub CA.
Expected behavior:
I would expect to be logged in.
Version/Release/Distribution:
ipa-server-4.10.1-9.el9_2.x86_64
ipa-client-4.10.1-9.el9_2.x86_64
389-ds-base-2.2.4-5.el9_2.x86_64
krb5-server-1.20.1-9.el9_2.x86_64
sssd-2.8.2-3.el9_2.x86_64
Additional info:
I can provide more logs if necessary but don't know which ones you could want.
Thanks
Whidix
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
