On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Natxo Asenjo wrote:

> > Using EXTERNAL, no cookie:
> > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL
> > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >     additional info: client certificate mapping failed
> >
> > I came accross this page in the 389 wiki:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-certmapping.html
> >
> > But I am not really sure how to accomplish this.
> >
> > Is this possible in freeipa?
> I don't see why not. You just need to be able to map the subject of the
> cert to a single entry. That's what certmap.conf attempts to do.

ok, I got it working  but it took some effort.

Let's see, in certmap.conf the config is like this out of the box:

certmap default         default
#default:FilterComps    e, uid
#default:verifycert     on
#default:CmapLdapAttr   certSubjectDN
#default:library        <path_to_shared_lib_or_dll>
#default:InitFn         <Init function's name>
default:FilterComps     uid
certmap ipaca           CN=Certificate Authority,O=SUB.DOMAIN.TLD
ipaca:CmapLdapAttr      seeAlso
ipaca:verifycert        on

So, there is an additional mapping for ipaca, which is handy. But the
CmapLdapAttr points to 'seeAlso', and if you change that to
usercertificate;binary (where the usercertificates are), the tomcat pki
service will no longer start because

DN: uid=pkidbuser,ou=people,o=ipaca

has this seealso attribute: CN=CA Subsystem,O=SUB.DOMAIN.TLD

so we cannot change te cmapldapattr to something else, but we can add a
seealso attribute to the user account, like cn=username,o=SUB.DOMAIN.TLD .
And then it works.

This could be very handy for web applications.

Nice. Thanks for the pointer.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to