hi, I am testing certificate authentication to ipa ldap ( centos 7.2 ).
I have generated a user certificate following the instructions on https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ After that I modified my $HOME/.ldaprc with these settings: TLS_CERT /path/to/user10.pem TLS_KEY /path/to/user10.key The certificate has this subject: $ openssl x509 -in user10.pem -subject -noout subject= /O=SUB.DOMAIN.TLD/CN=user10 Then I try ldapsearch: using GSSAPI, ldapsearch works fine: ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn .... # search result search: 5 result: 0 Success # numResponses: 1002 # numEntries: 1001 Using EXTERNAL, no cookie: $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: client certificate mapping failed I came accross this page in the 389 wiki: http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html But I am not really sure how to accomplish this. Is this possible in freeipa? Thanks in advance. Regards, Natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project