I am testing certificate authentication to ipa ldap ( centos 7.2 ).

I have generated a user certificate following the instructions on

After that I modified my $HOME/.ldaprc with these settings:

TLS_CERT /path/to/user10.pem
TLS_KEY /path/to/user10.key

The certificate has this subject:
$ openssl x509 -in user10.pem -subject -noout
subject= /O=SUB.DOMAIN.TLD/CN=user10

Then I try ldapsearch:

using GSSAPI, ldapsearch works fine:
ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s sub
-b dc=sub,dc=domain,dc=tld cn

# search result
search: 5
result: 0 Success

# numResponses: 1002
# numEntries: 1001

Using EXTERNAL, no cookie:
$ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL objectclass=person
-s sub -b dc=sub,dc=domain,dc=tld cn
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: client certificate mapping failed

I came accross this page in the 389 wiki:


But I am not really sure how to accomplish this.

Is this possible in freeipa?

Thanks in advance.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to