Natxo Asenjo wrote: > hi, > > I am testing certificate authentication to ipa ldap ( centos 7.2 ). > > I have generated a user certificate following the instructions on > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ > > After that I modified my $HOME/.ldaprc with these settings: > > TLS_CERT /path/to/user10.pem > TLS_KEY /path/to/user10.key > > The certificate has this subject: > $ openssl x509 -in user10.pem -subject -noout > subject= /O=SUB.DOMAIN.TLD/CN=user10 > > Then I try ldapsearch: > > using GSSAPI, ldapsearch works fine: > ldapsearch -h kdc1.sub.domain.tld -ZZ -Y GSSAPI objectclass=person -s > sub -b dc=sub,dc=domain,dc=tld cn > > .... > # search result > search: 5 > result: 0 Success > > # numResponses: 1002 > # numEntries: 1001 > > Using EXTERNAL, no cookie: > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: client certificate mapping failed > > I came accross this page in the 389 wiki: > > http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html > > But I am not really sure how to accomplish this. > > Is this possible in freeipa?
I don't see why not. You just need to be able to map the subject of the cert to a single entry. That's what certmap.conf attempts to do. Given that the certificate is stored with the user you can probably even set verifycert to on (this compares the cert in LDAP to the one presented, it is a poor-man's CRL). I haven't used certmap.conf in longer than I'd like to admit and it was usually a pain to setup. It looks like the 389-ds docs are far better than anything I used in the past so I think it may be fairly easy. Let the 389-ds access log be your guide to getting the filter and dn comps right. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project