Hi,
On Tue, Aug 6, 2024 at 10:56 PM Theodor Vallier via FreeIPA-users <
[email protected]> wrote:
> Hello,
>
> I'm trying to allow authentication using Yubikeys on clients without
> importing user's certificates in idM.
> I use an external PKI that signs everything, so I have the root CA and one
> sub CA named piv that signs users' csr (that are stored in yubikeys).
> On the server, the output of ipa-advise config-server-for-smart-card-auth
> is executed and the output of ipa-advise config-client-for-smart-card-auth
> is also executed on the client.
> I added both the certificate mapping rule and the certificate mapping data
> (Issuer and subject) according to red hat documentation.
>
> Steps to Reproduce:
> In an internet forbidden environment, using at least three VMs on RHEL9.
> One for IPA, one as a workstation and one that will be the DHCP, DNS and
> NTP server.
> Once the DNS and DHCP are configured, I generated a root CA and two sub
> CAs, one for signing users csr (piv) and one for signing everything else
> (like ipa).
> Once ipa is installed with an external ca, I executed the output of
> ipa-advise config-server-for-smart-card-auth to load and configure ipa for
> smartcard.
> Then I added the Certificate Identity Mapping Rule:
> Mapping rule:
> (ipacertmapdata=X509:<I\>{issuer\_dn!nss\_x500}<S>{subject_dn!nss_x500})
>
Can you paste the output of ipa certmap-show <your_rule> ? There are \ in
your mapping rule and I wonder if it's a copy-paste error or an invalid
mapping rule.
You may also find troubleshooting tips in this post:
https://floblanc.wordpress.com/2017/06/02/troubleshooting-mapping-between-a-smartcard-certificate-and-an-idm-user/
HTH,
flo
Matching rule: <ISSUER>CN=piv,C=FR
> Once the client is registered in ipa, I executed the output of ipa-advise
> config-client-for-smart-card-auth to load and configure the client for
> smartcard.
> Then, I registered a new user, with pkinit enable and I created a
> Certificate mapping data for him with the good Subject and the same Issuer
> as the Certificate Identity Mapping Rule.
> Finally, I set up the yubikey for the corresponding user using the PKI and
> signed his certificate with the piv CA.
>
> Actual behavior:
> If the user certificate is not present in ipa, I'm prompted to enter the
> PIN CODE (the Yubikey is recognized and the user is automatically
> selected), but then I have the error "Sorry, smart card authentication
> didn't work, please try again".
>
> On ipa server, if I use the command ipa certmap-match <user-certificate>,
> no users are found. Furthermore, in sssd I can see that the server is
> trying to find a user with the certificate stored on the yubikey instead of
> trying to check if the certificate is valid and signed by the piv sub CA.
>
> Expected behavior:
> I would expect to be logged in.
>
> Version/Release/Distribution:
> ipa-server-4.10.1-9.el9_2.x86_64
> ipa-client-4.10.1-9.el9_2.x86_64
> 389-ds-base-2.2.4-5.el9_2.x86_64
> krb5-server-1.20.1-9.el9_2.x86_64
> sssd-2.8.2-3.el9_2.x86_64
>
> Additional info:
> I can provide more logs if necessary but don't know which ones you could
> want.
>
> Thanks
> Whidix
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
