Natxo Asenjo wrote:
> hi,
> I am testing certificate authentication to ipa ldap ( centos 7.2 ).
> I have generated a user certificate following the instructions on
> After that I modified my $HOME/.ldaprc with these settings:
> TLS_CERT /path/to/user10.pem
> TLS_KEY /path/to/user10.key
> The certificate has this subject:
> $ openssl x509 -in user10.pem -subject -noout
> subject= /O=SUB.DOMAIN.TLD/CN=user10
> Then I try ldapsearch:
> using GSSAPI, ldapsearch works fine:
> ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s
> sub -b dc=sub,dc=domain,dc=tld cn
> ....
> # search result
> search: 5
> result: 0 Success
> # numResponses: 1002
> # numEntries: 1001
> Using EXTERNAL, no cookie:
> $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>     additional info: client certificate mapping failed
> I came accross this page in the 389 wiki:
> But I am not really sure how to accomplish this.
> Is this possible in freeipa?

I don't see why not. You just need to be able to map the subject of the
cert to a single entry. That's what certmap.conf attempts to do.

Given that the certificate is stored with the user you can probably even
set verifycert to on (this compares the cert in LDAP to the one
presented, it is a poor-man's CRL).

I haven't used certmap.conf in longer than I'd like to admit and it was
usually a pain to setup. It looks like the 389-ds docs are far better
than anything I used in the past so I think it may be fairly easy. Let
the 389-ds access log be your guide to getting the filter and dn comps


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to